ruby-changes:43250
From: shugo <ko1@a...>
Date: Wed, 8 Jun 2016 16:07:03 +0900 (JST)
Subject: [ruby-changes:43250] shugo:r55324 (trunk): * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
shugo 2016-06-08 16:06:57 +0900 (Wed, 08 Jun 2016) New Revision: 55324 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55324 Log: * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when CR or LF is included in a line, because they are not allowed in RFC5321. Modified files: trunk/ChangeLog trunk/lib/net/smtp.rb trunk/test/net/smtp/test_smtp.rb Index: lib/net/smtp.rb =================================================================== --- lib/net/smtp.rb (revision 55323) +++ lib/net/smtp.rb (revision 55324) @@ -926,7 +926,15 @@ module Net https://github.com/ruby/ruby/blob/trunk/lib/net/smtp.rb#L926 private + def validate_line(line) + # A bare CR or LF is not allowed in RFC5321. + if /[\r\n]/ =~ line + raise ArgumentError, "A line must not contain CR or LF" + end + end + def getok(reqline) + validate_line reqline res = critical { @socket.writeline reqline recv_response() @@ -936,6 +944,7 @@ module Net https://github.com/ruby/ruby/blob/trunk/lib/net/smtp.rb#L944 end def get_response(reqline) + validate_line reqline @socket.writeline reqline recv_response() end Index: test/net/smtp/test_smtp.rb =================================================================== --- test/net/smtp/test_smtp.rb (revision 55323) +++ test/net/smtp/test_smtp.rb (revision 55324) @@ -6,6 +6,8 @@ require 'test/unit' https://github.com/ruby/ruby/blob/trunk/test/net/smtp/test_smtp.rb#L6 module Net class TestSMTP < Test::Unit::TestCase class FakeSocket + attr_reader :write_io + def initialize out = "250 OK\n" @write_io = StringIO.new @read_io = StringIO.new out @@ -51,5 +53,50 @@ module Net https://github.com/ruby/ruby/blob/trunk/test/net/smtp/test_smtp.rb#L53 assert smtp.rset end + + def test_mailfrom + sock = FakeSocket.new + smtp = Net::SMTP.new 'localhost', 25 + smtp.instance_variable_set :@socket, sock + assert smtp.mailfrom("foo@e...").success? + assert_equal "MAIL FROM:<foo@e...>\r\n", sock.write_io.string + end + + def test_rcptto + sock = FakeSocket.new + smtp = Net::SMTP.new 'localhost', 25 + smtp.instance_variable_set :@socket, sock + assert smtp.rcptto("foo@e...").success? + assert_equal "RCPT TO:<foo@e...>\r\n", sock.write_io.string + end + + def test_auth_plain + sock = FakeSocket.new + smtp = Net::SMTP.new 'localhost', 25 + smtp.instance_variable_set :@socket, sock + assert smtp.auth_plain("foo", "bar").success? + assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string + end + + def test_crlf_injection + smtp = Net::SMTP.new 'localhost', 25 + smtp.instance_variable_set :@socket, FakeSocket.new + + assert_raise(ArgumentError) do + smtp.mailfrom("foo\r\nbar") + end + + assert_raise(ArgumentError) do + smtp.mailfrom("foo\rbar") + end + + assert_raise(ArgumentError) do + smtp.mailfrom("foo\nbar") + end + + assert_raise(ArgumentError) do + smtp.rcptto("foo\r\nbar") + end + end end end Index: ChangeLog =================================================================== --- ChangeLog (revision 55323) +++ ChangeLog (revision 55324) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Wed Jun 8 16:03:09 2016 Shugo Maeda <shugo@r...> + + * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when + CR or LF is included in a line, because they are not allowed in + RFC5321. + Tue Jun 7 21:27:25 2016 Kazuki Yamaguchi <k@r...> * test/rubygems/*_{cert,cert_32}.pem: Regenerate test certificates for -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/