From 49c7f4111d0e0bf2e8e5eb661fc869006c2db2e1 Mon Sep 17 00:00:00 2001
From: kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Sun, 10 Feb 2008 16:21:46 +0000
Subject: [PATCH] improve message ID generation: put together a string based on
 user-data (username, IP, remote port), serial data (time in ms) and
 randomness, and put this all through a one-way hash. This makes the chance on
 collisions unrealistically small, and at the same time prevents all kinds of
 trouble when some vars are not available or contain non-allowed information
 (like IPv6 addresses).

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@12929 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 class/deliver/Deliver.class.php | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/class/deliver/Deliver.class.php b/class/deliver/Deliver.class.php
index cbf12187..2f8e6a31 100644
--- a/class/deliver/Deliver.class.php
+++ b/class/deliver/Deliver.class.php
@@ -491,8 +491,10 @@ class Deliver {
         global $domain, $username, $encode_header_key,
                $edit_identity, $hide_auth_header;
 
-        /* if server var SERVER_NAME not available, use $domain */
-        if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) {
+        /* if server var SERVER_NAME not available, or contains
+           ":" (e.g. IPv6) which is illegal in a Message-ID, use $domain */
+        if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER) ||
+            strpos($SERVER_NAME,':') !== FALSE) {
             $SERVER_NAME = $domain;
         }
 
@@ -506,16 +508,17 @@ class Deliver {
 
         /* This creates an RFC 822 date */
         $date = date('D, j M Y H:i:s ', time()) . $this->timezone();
+
         /* Create a message-id */
-        $message_id = '<' . (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : '');
-//FIXME: if $REMOTE_ADDR is missing, should we skip this if/else block?  or perhaps try to generate it with some different kind of info?
-        if (isset($encode_header_key) && trim($encode_header_key)!='') {
-            // use encrypted form of remote address
-            $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key));
-        } else {
-            $message_id.= $REMOTE_ADDR;
-        }
-        $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>';
+        $message_id = '<';
+        /* user-specifc data to decrease collision chance */
+        $seed_data = $username . '.';
+        $seed_data .= (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : '');
+        $seed_data .= (!empty($REMOTE_ADDR) ? $REMOTE_ADDR . '.' : '');
+        /* add the current time in milliseconds and randomness */
+        $seed_data .= uniqid(mt_rand(),true);
+        /* put it through one-way hash and add it to the ID */
+        $message_id .= md5($seed_data) . '.squirrel@' . $SERVER_NAME .'>';
         $this->message_id = $message_id;
 
         /* Make an RFC822 Received: line */
-- 
2.25.1