ruby-changes:10450
From: shyouhei <ko1@a...>
Date: Tue, 3 Feb 2009 14:34:22 +0900 (JST)
Subject: [ruby-changes:10450] Ruby:r22000 (ruby_1_8_6): merge revision(s) 19774:
shyouhei 2009-02-03 14:34:11 +0900 (Tue, 03 Feb 2009) New Revision: 22000 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=22000 Log: merge revision(s) 19774: * lib/net/pop.rb: check for invalid APOP timestamp. (CVE-2007-1558) [ruby-dev:36631] * test/net/pop/test_pop.rb: ditto. Added directories: branches/ruby_1_8_6/test/net/pop/ Modified files: branches/ruby_1_8_6/ChangeLog branches/ruby_1_8_6/lib/net/pop.rb branches/ruby_1_8_6/version.h Index: ruby_1_8_6/ChangeLog =================================================================== --- ruby_1_8_6/ChangeLog (revision 21999) +++ ruby_1_8_6/ChangeLog (revision 22000) @@ -1,3 +1,10 @@ +Tue Feb 3 14:33:08 2009 Kazuhiro NISHIYAMA <zn@m...> + + * lib/net/pop.rb: check for invalid APOP timestamp. (CVE-2007-1558) + [ruby-dev:36631] + + * test/net/pop/test_pop.rb: ditto. + Mon Feb 2 20:03:00 2009 Nobuyoshi Nakada <nobu@r...> * time.c (time_mdump, time_mload): preserves GMT status. Index: ruby_1_8_6/version.h =================================================================== --- ruby_1_8_6/version.h (revision 21999) +++ ruby_1_8_6/version.h (revision 22000) @@ -1,15 +1,15 @@ #define RUBY_VERSION "1.8.6" -#define RUBY_RELEASE_DATE "2009-02-02" +#define RUBY_RELEASE_DATE "2009-02-03" #define RUBY_VERSION_CODE 186 -#define RUBY_RELEASE_CODE 20090202 -#define RUBY_PATCHLEVEL 317 +#define RUBY_RELEASE_CODE 20090203 +#define RUBY_PATCHLEVEL 318 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 #define RUBY_VERSION_TEENY 6 #define RUBY_RELEASE_YEAR 2009 #define RUBY_RELEASE_MONTH 2 -#define RUBY_RELEASE_DAY 2 +#define RUBY_RELEASE_DAY 3 #ifdef RUBY_EXTERN RUBY_EXTERN const char ruby_version[]; Index: ruby_1_8_6/lib/net/pop.rb =================================================================== --- ruby_1_8_6/lib/net/pop.rb (revision 21999) +++ ruby_1_8_6/lib/net/pop.rb (revision 22000) @@ -752,7 +752,7 @@ @socket = sock @error_occured = false res = check_response(critical { recv_response() }) - @apop_stamp = res.slice(/<.+>/) + @apop_stamp = res.slice(/<[!-~]+@[!-~]+>/) end def inspect Index: ruby_1_8_6/test/net/pop/test_pop.rb =================================================================== --- ruby_1_8_6/test/net/pop/test_pop.rb (revision 0) +++ ruby_1_8_6/test/net/pop/test_pop.rb (revision 22000) @@ -0,0 +1,132 @@ +require 'net/pop' +require 'test/unit' +require 'digest/md5' + +class TestPOP < Test::Unit::TestCase + def setup + @users = {'user' => 'pass' } + @ok_user = 'user' + @stamp_base = "#{$$}.#{Time.now.to_i}@localhost" + end + + def test_pop_auth_ok + pop_test(false) do |pop| + assert_instance_of Net::POP3, pop + assert_nothing_raised do + pop.start(@ok_user, @users[@ok_user]) + end + end + end + + def test_pop_auth_ng + pop_test(false) do |pop| + assert_instance_of Net::POP3, pop + assert_raise Net::POPAuthenticationError do + pop.start(@ok_user, 'bad password') + end + end + end + + def test_apop_ok + pop_test(@stamp_base) do |pop| + assert_instance_of Net::APOP, pop + assert_nothing_raised do + pop.start(@ok_user, @users[@ok_user]) + end + end + end + + def test_apop_ng + pop_test(@stamp_base) do |pop| + assert_instance_of Net::APOP, pop + assert_raise Net::POPAuthenticationError do + pop.start(@ok_user, 'bad password') + end + end + end + + def test_apop_invalid + pop_test("\x80"+@stamp_base) do |pop| + assert_instance_of Net::APOP, pop + assert_raise Net::POPAuthenticationError do + pop.start(@ok_user, @users[@ok_user]) + end + end + end + + def test_apop_invalid_at + pop_test(@stamp_base.sub('@', '.')) do |pop| + assert_instance_of Net::APOP, pop + e = assert_raise Net::POPAuthenticationError do + pop.start(@ok_user, @users[@ok_user]) + end + end + end + + def pop_test(apop=false) + host = 'localhost' + server = TCPServer.new(host, 0) + port = server.addr[1] + thread = Thread.start do + sock = server.accept + begin + pop_server_loop(sock, apop) + ensure + sock.close + end + end + begin + pop = Net::POP3::APOP(apop).new(host, port) + #pop.set_debug_output $stderr + yield pop + ensure + begin + pop.finish + rescue IOError + raise unless $!.message == "POP session not yet started" + end + end + ensure + server.close + thread.value + end + + def pop_server_loop(sock, apop) + if apop + sock.print "+OK ready <#{apop}>\r\n" + else + sock.print "+OK ready\r\n" + end + user = nil + while line = sock.gets + case line + when /^USER (.+)\r\n/ + user = $1 + if @users.key?(user) + sock.print "+OK\r\n" + else + sock.print "-ERR unknown user\r\n" + end + when /^PASS (.+)\r\n/ + if @users[user] == $1 + sock.print "+OK\r\n" + else + sock.print "-ERR invalid password\r\n" + end + when /^APOP (.+) (.+)\r\n/ + user = $1 + if apop && Digest::MD5.hexdigest("<#{apop}>#{@users[user]}") == $2 + sock.print "+OK\r\n" + else + sock.print "-ERR authentication failed\r\n" + end + when /^QUIT/ + sock.print "+OK bye\r\n" + return + else + sock.print "-ERR command not recognized\r\n" + return + end + end + end +end Property changes on: ruby_1_8_6/test/net/pop/test_pop.rb ___________________________________________________________________ Name: svn:eol-style + LF -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/