[Bug 491352] Re: Patch for incorrect charset in notification emails

Benjamin Drung 491352 at bugs.launchpad.net
Wed Aug 3 08:19:06 UTC 2022 

Hi, I tried to check all sudo bugs with attached patches. Sadly the
upstream bug link is broken. So I cannot follow-up the upstream
progress. The git history revealed no reference to bug number 457.

Looking at the upstream code, I found following in
lib/eventlog/eventlog.c:

#if defined(HAVE_NL_LANGINFO) && defined(CODESET)
    locale = setlocale(LC_ALL, NULL);
    if (locale[0] != 'C' || locale[1] != '\0')
	(void) fprintf(mail, "\nContent-Type: text/plain; charset=\"%s\"\nContent-Transfer-Encoding: 8bit", nl_langinfo(CODESET));
#endif /* HAVE_NL_LANGINFO && CODESET */

So I assume that it was fixed upstream. This code snippet was introduced
in commit bd1ca79cca827a92e904f022e49df121931d4ff5 and was part of sudo
1.9.4 which landed in Ubuntu 22.04 (jammy).

If my assumption is wrong, please reopen this bug report.

** Changed in: sudo (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/491352

Title:
  Patch for incorrect charset in notification emails

Status in sudo:
  Unknown
Status in sudo package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: sudo

  sudo uses strftime() to generate the date string in the notification
  mails sent to administrators when something fishy happens. strftime()
  generates the date according to locale env vars. This could result in
  date strings containing arbitrary characters in arbitrary charsets
  (think UTF-8 in far eastern languages).

  By default, email messages are us-ascii. sudo does no conversion of
  the data returned by strftime (which is in the user's current charset)
  to the default us-ascii charset. This causes non-ascii dates to come
  through as garbage.

  Solution:
   1. stop using strftime. The code actually has the strftime code in a IFDEF, remove that whole ifdef, and use ctime, which is ascii.
   2. insert charset information into the notification email. add header (Content-Type: text/plain; charset="<nl_langinfo(CODESET)>") and (Content-Transfer-Encoding: 8bit).

  downside of solution 2:
   1. 8bit transfer encoding is required. 8bit is not strictly supported by SMTP, although is supported by most MTA's, probably all MTA's in the Ubuntu repo.
   2. Also, since the strftime uses the locale of the user, it could represent the date in some language unreadable by the sysadmin (who receives the notification, but does not necessarily read the same language as the user who committed whatever offense). ctime() always represents the date in English ASCII. I think we can safely assume the large majority of sysadmins out there can read English ASCII?

  I've attached a patch to only use ctime in notification emails and
  logging. Since launch pad only allows one attachment  at time of bug
  creation, I'll try attach the other patch after I've submitted this.
  Here's hoping I can do that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/sudo/+bug/491352/+subscriptions

More information about the foundations-bugs mailing list