From 28d160e55db9de9aede16af1bf0a8c28ca8a3e6b Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Mon, 27 Nov 2017 22:34:53 +0000
Subject: [PATCH] Fix a bug in the get_msg_header() method introduced in rev
 1.195 (12-Nov-2016): The 'expand_fields' argument wasn't be parsed correctly
 and defaults to 'true', so any script that modifies a message header could be
 writing-back expandeed header fields which may sometimes fail depending on
 how much the total header size expanded. Enhancement: the put_msg_header()
 method will now fail with an exception if a script tries to write-back a
 message header that was read with expanded fields. This should help to avoid
 potential message base corruption through a script bug.

---
 src/sbbs3/js_msgbase.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/sbbs3/js_msgbase.c b/src/sbbs3/js_msgbase.c
index 32dcdf0b40..4906514425 100644
--- a/src/sbbs3/js_msgbase.c
+++ b/src/sbbs3/js_msgbase.c
@@ -1468,11 +1468,11 @@ js_get_msg_header(JSContext *cx, uintN argc, jsval *arglist)
 	/* Now parse message offset/id and get message */
 	if(JSVAL_IS_NUMBER(argv[n])) {
 		if(by_offset) {							/* Get by offset */
-			if(!JS_ValueToInt32(cx,argv[n],(int32*)&(p->msg).offset))
+			if(!JS_ValueToInt32(cx,argv[n++],(int32*)&(p->msg).offset))
 				return JS_FALSE;
 		}
 		else {									/* Get by number */
-			if(!JS_ValueToInt32(cx,argv[n],(int32*)&(p->msg).hdr.number))
+			if(!JS_ValueToInt32(cx,argv[n++],(int32*)&(p->msg).hdr.number))
 				return JS_FALSE;
 		}
 
@@ -1496,7 +1496,7 @@ js_get_msg_header(JSContext *cx, uintN argc, jsval *arglist)
 		smb_unlockmsghdr(&(p->p->smb),&(p->msg)); 
 		JS_RESUMEREQUEST(cx, rc);
 	} else if(JSVAL_IS_STRING(argv[n]))	{		/* Get by ID */
-		JSSTRING_TO_MSTRING(cx, JSVAL_TO_STRING(argv[n]), cstr, NULL);
+		JSSTRING_TO_MSTRING(cx, JSVAL_TO_STRING(argv[n++]), cstr, NULL);
 		HANDLE_PENDING(cx);
 		rc=JS_SUSPENDREQUEST(cx);
 		if((p->p->status=smb_getmsghdr_by_msgid(&(p->p->smb),&(p->msg)
@@ -1788,6 +1788,13 @@ js_put_msg_header(JSContext *cx, uintN argc, jsval *arglist)
 
 	hdr = JSVAL_TO_OBJECT(argv[n++]);
 
+	privatemsg_t* mp;
+	mp=(privatemsg_t*)JS_GetPrivate(cx,hdr);
+	if(mp->expand_fields) {
+		JS_ReportError(cx, "Message header has 'expanded fields'", WHERE);
+		return JS_FALSE;
+	}
+
 	rc=JS_SUSPENDREQUEST(cx);
 	if((p->status=smb_getmsgidx(&(p->smb), &msg))!=SMB_SUCCESS) {
 		JS_RESUMEREQUEST(cx, rc);
-- 
GitLab