SmtpClient: Unconditionally escape leading dots #605
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug: emails sent using
:body
and:headers
do not have leading dots properly escaped. This PR fixes that. See "Reasoning" below for more info.Breaking change
The
EM::Protocols::SmtpClient
:body
and:headers
parameters now escape leading dots on new lines.Given the following message passed in as the
:body
Old behavior: The message would be sent as-is. The recipient would see
New behavior: The leading dot in the second line would be escaped. The recipient would see
Required updates to code: If you knew about this issue and were working around it by manually escaping leading dots in data you passed to
:body
or:headers
, you need to stop doing so to prevent double escaping.Reasoning
cc/ @sodabrew
While discussing #600, I wrote the following:
Almost immediately after posting this, @davidbalbert and I realized that this decision was incorrect. Unfortunately, the PR had been merged before we could post. Sorry, @sodabrew!
The escaping mechanism for leading dots in the SMTP DATA command is unconditional. I.e. if a line starts with a dot, another dot should be inserted in front of it no matter what comes after. The current implementation escapes a leading dot only if it is not followed by another dot. This is a bug: it prevents a user from sending a message where a line starts with two leading dots (the recipient would see one), three leading dots (the recipient would see two), etc. This pull request fixes that behavior by unconditionally escaping any leading dot.
This is a small breaking change: If someone has been working around the lack of escaping in
:body
and:headers
by escaping the leading dots themselves, this change will double-escape their leading dots. Given thatSmtpClient
has not been updated in years and to our knowledge no one had posted about the issue of unescaped leading dots, we think it's much more likely that people are unaware of this issue and sending unescaped emails via:body
and:headers
rather than manually escaping their emails themselves.