[Pkg-roundcube-maintainers] Bug#1078775: roundcube-core: Contacts import: Whitespace & vCard object separators

Einhard Leichtfuß alguien at respiranto.de
Thu Aug 15 23:03:54 BST 2024 

Package: roundcube
Version: 1.6.5+dfsg-1+deb12u4
Severity: normal

Dear Maintainer,

this bug report describes several related bugs, related to
 a) whitespace (space, tab) in imported vCard files, and
 b) vCard object separators (`BEGIN:VCARD`, `END:VCARD`).

------------------------------------------------------------------------

Bug 1: Leading whitespace in line continuation silently dropped

Example (note that vCard mandates CRLF as newline sequence):
---
BEGIN:VCARD
VERSION:3.0
N:Doe;Jane;;;
FN:Jane Doe
NOTE:an
  example
END:VCARD
---

The NOTE value is parsed as `anexample` instead of `an example` (only
the first whitespace character should be dropped - see RFC 2426).

In particular, this means that a Roundcube export followed by a
Roundcube import may silently fail to recreate the original data.

------------------------------------------------------------------------

Note 2: Leading and trailing whitespace in a logical line is silently
  dropped

Any number of space/tab characters at the start or end of a logical
line (or a component value, such as in `N`) is dropped.

This is not a bug, IMHO, given that Roundcube also strips surrounding
whitespace when entering data via its web UI.

I think it might be related, however.

------------------------------------------------------------------------

Note 3: Repeated `BEGIN:VCARD`: All ignored until last

If there are multiple `BEGIN:VCARD` lines before any `END:VCARD` line,
all lines (not only `BEGIN:VCARD` lines) until the last of those
`BEGIN:VCARD` lines are ignored.

I would say this is also not a bug, because such input is invalid.  A
warning or error message would certainly be nice, though.

------------------------------------------------------------------------

Note 4: Repeated `END:VCARD` cause duplication

If a VCard object is terminated by more than one `END:VCARD` line, the
entry is imported as often as there are `END:VCARD` lines.

If on import, one does *not* choose to "[r]eplace the entire address
book", only one instance is imported, but with the note "Skipped (n-1)
existing entries: [...]".

Any physical lines after the first `END:VCARD` that are neither
`BEGIN:VCARD` nor `END:VCARD` are apparently ignored.

Again, not necessarily a bug, because any such input is of invalid
syntax (but a warning or error message would be nice).

------------------------------------------------------------------------

Bug 5: vCard object separators wrongly recognized in line continuations

If a physical line is of the form `[ \t]+(BEGIN|END):VCARD`, it is used
as line continuation, but also recognized as vcard object start/end
marker.

Example:
---
NOTE:example
 END:VCARD
---

This is treated the same as:
---
NOTE:exampleEND:VCARD
END:VCARD
---

Note: For `BEGIN:VCARD`, the use as line continuation can only be
assumed, given that preceding lines are ignored (see Note 3).

While this bug may seem unlikely in practice, I actually witnessed it
with real data, likely due to past import/export errors.

------------------------------------------------------------------------

Bug 6: vCard object separators not parsed as logical lines

(6.1) Any logical line `BEGIN:VCARD` or `END:VCARD` that is broken into
multiple physical lines using `\r\n[ \t]\r\n` is not recognized as such.

(6.2) On the other hand, if a physical line `BEGIN:VCARD` or `END:VCARD`
is followed by a line continuation (i.e., a line starting with `[ \t]`),
this is (incorrectly) recognized as the corresponding vCard object
separator, and the line continuation is silently ignored.

Example for (6.1):
---
BEGIN:VCARD
VERSION:3.0
N:Doe;Jane;;;
FN:Jane Doe
EMAIL:jane.doe at example.net
END:
 VCARD
---

The above example fails to import (and is instead attempted to be parsed
as CSV--without success).

I acknowledge that this bug hardly occurs in practice.  I found it while
investigating the other bugs.


- Einhard Leichtfuß


-- System Information:
Debian Release: 12.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-23-cloud-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages roundcube-core depends on:
ii  dbconfig-common                 2.0.24
ii  debconf [debconf-2.0]           1.5.82
ii  dpkg                            1.21.22
ii  libjs-bootstrap4                4.6.1+dfsg1-4
ii  libjs-codemirror                5.65.0+~cs5.83.9-2
ii  libjs-jquery                    3.6.1+dfsg+~3.5.14-1
ii  libjs-jquery-minicolors         2.3.5+dfsg-4
ii  libjs-jquery-ui                 1.13.2+dfsg-1
ii  libjs-jstimezonedetect          1.0.7+~1.0.3-1
ii  libmagic1                       1:5.44-3
ii  php                             2:8.2+93
ii  php-auth-sasl                   1.1.0-1
pn  php-cli                         <none>
ii  php-common                      2:93
ii  php-guzzlehttp-guzzle           7.4.5-1
ii  php-intl                        2:8.2+93
ii  php-mail-mime                   1.10.11-1
ii  php-masterminds-html5           2.7.6+dfsg-1
ii  php-mbstring                    2:8.2+93
ii  php-net-sieve                   1.4.6-1
ii  php-net-smtp                    1.10.1-1
ii  php-pear                        1:1.10.13+submodules+notgz+2022032202-2
ii  php8.2 [php]                    8.2.20-1~deb12u1
ii  php8.2-cli [php-json]           8.2.20-1~deb12u1
ii  php8.2-fpm [php-json]           8.2.20-1~deb12u1
ii  php8.2-intl [php-intl]          8.2.20-1~deb12u1
ii  php8.2-mbstring [php-mbstring]  8.2.20-1~deb12u1
ii  roundcube-pgsql                 1.6.5+dfsg-1+deb12u4
ii  ucf                             3.0043+nmu1

Versions of packages roundcube-core recommends:
ii  nginx [httpd-cgi]             1.22.1-9
ii  php-enchant                   2:8.2+93
ii  php-fpm                       2:8.2+93
pn  php-gd                        <none>
ii  php8.2-enchant [php-enchant]  8.2.20-1~deb12u1
ii  php8.2-fpm [php-fpm]          8.2.20-1~deb12u1
pn  roundcube-skin-classic        <none>
ii  roundcube-skin-larry          1.6.0+ds-2

Versions of packages roundcube-core suggests:
pn  php-bacon-qr-code           <none>
pn  php-bjeavons-zxcvbn-php     <none>
pn  php-crypt-gpg               <none>
pn  php-net-ldap3               <none>
pn  php-roundcube-rtf-html-php  <none>
pn  roundcube-plugins           <none>

Versions of packages roundcube depends on:
ii  dpkg  1.21.22

-- Configuration Files:
/etc/cron.d/roundcube-core changed:
MAILTO=root
0 5 * * * www-data test -d /run/systemd/system || /usr/share/roundcube/bin/cleandb.sh >/dev/null
5,35 * * * * www-data test -d /run/systemd/system || /usr/share/roundcube/bin/gc.sh


-- debconf information:
  roundcube/upgrade-backup: true
  roundcube/pgsql/method: TCP/IP
  roundcube/db/dbname: roundcube
  roundcube/db/app-user: roundcube at localhost
  roundcube/remote/port:
  roundcube/pgsql/no-empty-passwords:
  roundcube/hosts: localhost:143
  roundcube/dbconfig-reinstall: false
  roundcube/language: en_US
  roundcube/passwords-do-not-match:
  roundcube/dbconfig-remove: true
  roundcube/remote/newhost: localhost
  roundcube/pgsql/authmethod-admin: ident
  roundcube/pgsql/changeconf: false
  roundcube/pgsql/authmethod-user: password
  roundcube/internal/skip-preseed: false
  roundcube/pgsql/manualconf:
  roundcube/remote/host: localhost
  roundcube/purge: false
* roundcube/dbconfig-install: false
  roundcube/dbconfig-upgrade: true
  roundcube/pgsql/admin-user: postgres
  roundcube/reconfigure-webserver: apache2, lighttpd
  roundcube/internal/reconfiguring: false
  roundcube/remove-error: abort
  roundcube/database-type: pgsql
  roundcube/install-error: abort
  roundcube/missing-db-package-error: abort
  roundcube/restart-webserver: true
  roundcube/upgrade-error: abort

More information about the Pkg-roundcube-maintainers mailing list