Reject CR/LF in SimpleSMTPHeader and SimpleNNTPHeader fields#397
Conversation
|
@dxbjavid |
|
Added tests for both classes covering the constructor, addCC/addNewsgroup, and addHeaderField sinks. They fail on master (8 failures, nothing thrown) and pass with the fix applied. |
garydgregory
left a comment
garydgregory
left a comment
There was a problem hiding this comment.
Hello @dxbjavid
Thank you for your PR.
What about Unicode line breaks, for example U+2028? Should those matter?
|
Only CR and LF actually terminate a line in the SMTP/NNTP wire protocol, so those are the bytes that let a value break out of its header. U+2028 and the other Unicode line breaks aren't line terminators there, they just get written out as their encoded bytes (E2 80 A8 for U+2028 in UTF-8, none of which is CR or LF), so they can't inject a header field. I kept the guard to CR/LF to match that and the existing null-From check. Can widen it if you'd prefer to be strict about them, but it isn't needed to close the injection. |
|
If the spec says CR and LF then that should be good enough. |
garydgregory
changed the title
|
Right. Header fields are CRLF-terminated on the wire: RFC 5322 section 2.2 for mail, RFC 3977/5536 for news. CR and LF are the only bytes that end a field there, so guarding those two closes the injection. |
|
@dxbjavid |
2 participants
Fuzzing a small contact-form mailer built on SimpleSMTPHeader turned this up. The subject/from/cc and addHeaderField values get appended straight into the generated header block, so an embedded LF injects arbitrary mail headers or a message body (CWE-93). SimpleNNTPHeader has the same gap in its From/Subject/Newsgroups and header sinks. Reject CR/LF in those values, like the existing null-From check.