Go to file

Ken Johnson 180ca954f7 Harden parsers against crafted message-base files

Audit pass targeting attacker-controlled binary inputs (.JHR, .SQD,
*.MSG, Wildcat ISAM) and shared-directory sentinels.  Caps bound
allocations driven by in-file length fields; a few forward-only
invariants bound chain walks; O_NOFOLLOW plugs a lock-file
symlink-swap window.

JAM  (mb.fmt.jam): cap SubfieldLen (ReadSubFields) and TxtLen
(ReadBody) at 64 MiB.  Reject negative TxtOffset before seek.

Squish  (mb.fmt.squish): reject clen/msg_length outside the frame,
and clen > msg_length - SizeOf(SqMsgHdr) (prevents bodyLen
underflow into a negative SetLength argument).  ReIndex now
rejects non-forward next_frame and caps total hops.

Wildcat  (mb.fmt.wildcat): clamp Hdr.MsgBytes to SizeOf(TMsgText)
in ReadBody so Move() cannot read past the fixed-size buffer.

*.MSG  (mb.fmt.msg): cap ReadBody growth at 16 MiB; pre-size the
AnsiString so concatenation is O(n), not O(n^2).

mb.kludge: pre-count CRs so SplitKludgeBlob is O(n) instead of
O(n^2), and cap the parsed line count at 10 K.

mb.lock: POSIX fpOpen now passes O_NOFOLLOW so a symlink that an
attacker drops in place of the sentinel between FileExists and
fpOpen does not redirect us.  Advisory flock semantics unchanged.

mb.paths: new IsSafePathComponent / EnforceSafePathComponent
helpers.  Reject empty, '.', '..', absolute, drive-prefixed, or
separator-bearing tails; used by callers that accept area tags or
filenames from outside data.

2026-04-19 06:27:46 -07:00

docs

Add TMessageBase.Sync for crash-safe per-message acknowledgement

2026-04-18 19:22:07 -07:00

examples

Rename ma.* -> mb.* namespace (cosmetic, breaking)

2026-04-18 13:19:15 -07:00

src

Harden parsers against crafted message-base files

2026-04-19 06:27:46 -07:00

tests

Add TMessageBase.Sync for crash-safe per-message acknowledgement

2026-04-18 19:22:07 -07:00

.gitignore

Initial scaffold: layout, fpc.cfg, README, architecture doc

2026-04-14 10:40:56 -07:00

build.sh

Sparse-file fix for Hudson/GoldBase HWM extension + build.sh follow-up

2026-04-18 18:00:02 -07:00

fpc.cfg

Rename to fpc-msgbase, scrub false-provenance Allfix references

2026-04-17 12:47:43 -07:00

README.md

0.4.0: PKT moves to fpc-ftn-transport (breaking change)

2026-04-18 11:32:42 -07:00

run_tests.sh

0.4.0: PKT moves to fpc-ftn-transport (breaking change)

2026-04-18 11:32:42 -07:00

README.md

fpc-msgbase

A unified Free Pascal library for reading and writing classic BBS message bases.

Implements every supported format from the FTSC specifications and the original format authors' published documentation, behind one polymorphic API (TMessageBase). BBS software, mail tossers, message editors, and utilities can target a single interface regardless of the underlying format on disk.

Supported formats

Format	Files	Backend unit
Hudson	MSGINFO/IDX/HDR/TXT/TOIDX.BBS	`ma.fmt.hudson.pas`
JAM	`.JHR` `.JDT` `.JDX` `.JLR`	`ma.fmt.jam.pas`
Squish	`.SQD` `.SQI` `*.SQL`	`ma.fmt.squish.pas`
FTS-1 MSG	numbered `*.MSG` per directory	`ma.fmt.msg.pas`
PCBoard	`.MSG` + `.IDX`	`ma.fmt.pcboard.pas`
EzyCom	`MH#####.BBS` / `MT#####.BBS`	`ma.fmt.ezycom.pas`
GoldBase	MSGINFO/IDX/HDR/TXT/TOIDX.DAT	`ma.fmt.goldbase.pas`
Wildcat 4	WC SDK databases	`ma.fmt.wildcat.pas`

FTN PKT is a transport-tier wire format and lives in the sibling fpc-ftn-transport library (units tt.pkt.reader, tt.pkt.writer, tt.pkt.format, tt.pkt.batch). The mbfPkt factory enum stays in fpc-msgbase so consumers wanting to iterate .pkt files via the unified API (MessageBaseOpen(mbfPkt, ...)) just add uses tt.pkt.reader alongside fpc-msgbase. PKT was here through 0.3.x; moved out in 0.4.0 because PKT is a wire format, not a storage format.

Features

One TMessageBase abstract class — read, write, pack, reindex through the same methods regardless of format.
Lossless two-area message model. TUniMessage = Body (just the message text) + Attributes (key/value bag holding from/to/subject/dates/ addresses/MSGID/SEEN-BY/PATH and per-format extras). Same shape as RFC 822 email. Round-trip preservation enforced by the test suite.
Capabilities API — base.SupportsAttribute('attr.returnreceipt') lets UIs hide controls the underlying backend has no slot for. Each backend publishes its key list via ClassSupportedAttributes. Full per-format matrix in docs/attributes-registry.md.
Per-user High-Water Mark — base.GetHWM('NetReader') / base.SetHWM(...) plus auto-bump via base.ActiveUser. Native for JAM (.JLR), Squish (.SQL), Hudson + GoldBase (LASTREAD.BBS/DAT, with MapUser + Board context). Tossers and scanners register as named users in the format's native lastread file, so multiple consumers coexist without colliding. Unsupported formats return -1 honestly.
Layered locking: in-process TRTLCriticalSection + cross-process advisory lock (fpflock on Unix, LockFileEx on Windows, .LCK sentinel fallback)
- the existing fmShareDenyWrite / fmShareDenyNone share modes.
Event hooks for logging, progress, and status reporting.
Path / filename auto-derivation per format from a base directory plus optional area tag (area attribute auto-populated on Read).
Shared FTSC kludge plumbing in ma.kludge — single source of truth for kludge-line parse/emit (ParseKludgeLine, SplitKludgeBlob, BuildKludgePrefix/Suffix). Unknown FTSC kludges round-trip uniformly as kludge.<lowername> regardless of which backend stored them, so consumers don't switch on format to find passthrough kludges.

Building

Use both the native and .uni adapter units in your uses clause — the .uni adapter's initialization block is what registers the backend with the unified-API factory. Forgetting it produces EMessageBase: No backend registered for <format>.

uses
  ma.types, ma.events, ma.api,
  ma.fmt.jam, ma.fmt.jam.uni;     { both — .uni registers }

Native Linux:

fpc -Fusrc -Fusrc/formats examples/example_read.pas

Lazarus package:

lazbuild fpc-msgbase.lpk

The repo includes a fpc.cfg template covering the multi-target build (i386-go32v2, i386-win32, i386-linux, i386-os2).

Layout

src/                ma.api, ma.types, ma.events, ma.lock, ma.paths, ma.kludge
src/formats/        ma.fmt.<format>.pas — one per supported format
docs/               architecture, locking semantics, format notes
tests/              FPCUnit tests, sample data
examples/           small CLI programs that double as smoke tests

Unit-name convention follows the Fimail style: ma.<category>.<name>.pas (ma. is the library's namespace prefix; the project was originally named message_api, hence ma). All units use {$mode objfpc}{$H+}.

Documentation

docs/API.md — full API reference with examples
docs/architecture.md — layered design + Body/Attributes contract
docs/attributes-registry.md — canonical attribute keys + per-format support matrix
docs/ftsc-compliance.md — spec notes
docs/format-notes/ — per-format quirks

Status

Early development. APIs may move until 1.0.

0.2 is a breaking change vs 0.1. TUniMessage lost its 13 named fields (WhoFrom/WhoTo/Subject/MsgNum/Attr/etc.) in favour of a strict Body + Attributes two-area model. Migration:

{ before }                       { after }
msg.WhoFrom                       msg.Attributes.Get('from')
msg.Subject := 'foo';             msg.Attributes.SetValue('subject', 'foo');
msg.Attr := MSG_ATTR_LOCAL;       msg.Attributes.SetBool('attr.local', true);
msg.OrigAddr                      msg.Attributes.GetAddr('addr.orig')
msg.DateWritten                   msg.Attributes.GetDate('date.written')

This change makes the unified API lossless — kludges (MSGID, SEEN-BY, PATH, etc.) round-trip cleanly, where 0.1 silently dropped them. See docs/attributes-registry.md for the full key catalog.

Format backends are spec-driven implementations validated against real-world sample bases.