Sanitize file names for storing attachments (fixes #19)

oblac · Aug 29, 2024 · 16982ce · 16982ce
1 parent 2bbcc3d
commit 16982ce
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 10 deletions.
diff --git a/src/main/java/jodd/mail/EmailAttachmentBuilder.java b/src/main/java/jodd/mail/EmailAttachmentBuilder.java
@@ -25,18 +25,19 @@
 
 package jodd.mail;
 
+import jakarta.activation.DataSource;
+import jakarta.activation.FileDataSource;
 import jakarta.mail.util.ByteArrayDataSource;
 import jodd.io.FileNameUtil;
 import jodd.io.FileUtil;
 import jodd.net.MimeTypes;
 
-import jakarta.activation.DataSource;
-import jakarta.activation.FileDataSource;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 
 import static jodd.mail.EmailUtil.NO_NAME;
+import static jodd.mail.EmailUtil.sanitizeFileName;
 
 /**
  * Helper class for convenient {@link EmailAttachment} creation.
@@ -229,7 +230,7 @@ public EmailAttachment<FileDataSource> buildFileDataSource(final String messageI
 			if (dataSource instanceof FileDataSource) {
 				fds = (FileDataSource) dataSource;
 			} else {
-				final File file = new File(attachmentStorage, messageId);
+				final File file = new File(attachmentStorage, sanitizeFileName(messageId));
 				FileUtil.writeStream(file, dataSource.getInputStream());
 				fds = new FileDataSource(file);
 			}

diff --git a/src/main/java/jodd/mail/EmailUtil.java b/src/main/java/jodd/mail/EmailUtil.java
@@ -225,4 +225,8 @@ public static boolean isEmptyFlags(final Flags flags) {
 		return true;
 	}
 
+	public static String sanitizeFileName(final String fileName) {
+		return fileName.replaceAll("[^a-zA-Z0-9.-]", "_");
+	}
+
 }
diff --git a/src/main/java/jodd/mail/ImapServer.java b/src/main/java/jodd/mail/ImapServer.java
@@ -92,7 +92,8 @@ public ReceiveMailSession createSession() {
 			createSessionProperties(),
 			authenticator,
 			attachmentStorage,
-				debugConsumer);
+			debugConsumer
+		);
 	}
 
 }
diff --git a/src/main/java/jodd/mail/Pop3Server.java b/src/main/java/jodd/mail/Pop3Server.java
@@ -95,10 +95,12 @@ protected Store getStore(final Session session) throws NoSuchProviderException {
 	@Override
 	public ReceiveMailSession createSession() {
 		return EmailUtil.createSession(
-				PROTOCOL_POP3,
-				createSessionProperties(),
-				authenticator,
-				attachmentStorage, debugConsumer);
+			PROTOCOL_POP3,
+			createSessionProperties(),
+			authenticator,
+			attachmentStorage,
+			debugConsumer
+		);
 	}
 
 }
diff --git a/src/main/java/jodd/mail/ReceivedEmail.java b/src/main/java/jodd/mail/ReceivedEmail.java
@@ -44,7 +44,8 @@
 import java.util.Date;
 import java.util.List;
 
-import static jakarta.mail.Flags.*;
+import static jakarta.mail.Flags.Flag;
+import static jodd.mail.EmailUtil.sanitizeFileName;
 
 /**
  * Received email.
@@ -444,7 +445,7 @@ private ReceivedEmail addAttachment(final Part part, final InputStream content,
 		final EmailAttachmentBuilder builder = addAttachmentInfo(part);
 		builder.content(content, part.getContentType());
 		if (attachmentStorage != null) {
-			String name = messageId + "-" + (this.attachments().size() + 1);
+			final String name = sanitizeFileName(messageId) + "-" + (this.attachments().size() + 1);
 			return storeAttachment(builder.buildFileDataSource(name, attachmentStorage));
 		}
 		return storeAttachment(builder.buildByteArrayDataSource());

diff --git a/src/test/java/jodd/mail/EmailUtilTest.java b/src/test/java/jodd/mail/EmailUtilTest.java
@@ -86,4 +86,10 @@ void testIsEmptyFlags() {
 		assertTrue(EmailUtil.isEmptyFlags(flags));
 	}
 
+	@Test
+	void testSanitizeFileName() {
+		assertEquals("file.txt", EmailUtil.sanitizeFileName("file.txt"));
+		assertEquals("_6d0455f09ad249c897c0aa28a7ee3579_domain_", EmailUtil.sanitizeFileName("<6d0455f09ad249c897c0aa28a7ee3579@domain>"));
+	}
+
 }