Skip to content

🔒 Validate #setquota storage limit argument#659

Merged
nevans merged 1 commit intomasterfrom
security/QUOTA-argument-validation
Apr 23, 2026
Merged

🔒 Validate #setquota storage limit argument#659
nevans merged 1 commit intomasterfrom
security/QUOTA-argument-validation

Conversation

@nevans
Copy link
Copy Markdown
Collaborator

@nevans nevans commented Apr 23, 2026
edited
Loading

Important

This fixes a CRLF/command/argument injection vulnerability for the storage_limit argument to #setquota.

There's no reason to use RawData for this. We can use Net::IMAP's standard command argument formatting to send a parenthesized list.

@nevans nevans added bug Something isn't working backport This issue or PR is for a stable release branch labels Apr 23, 2026
@nevans
🥅 Validate #setquota storage limit argument
11cab01 
There's no reason to use `RawData` for this.  We can use Net::IMAP's
standard command argument formatting to send a parenthesized list.
@nevans nevans force-pushed the security/QUOTA-argument-validation branch from a6e91c3 to 11cab01 Compare April 23, 2026 13:59
@nevans nevans merged commit 0ec4fd3 into master Apr 23, 2026
39 checks passed
@nevans nevans deleted the security/QUOTA-argument-validation branch April 23, 2026 14:16
@nevans nevans added backport-0.5 This ticket needs to be backported to the v0.5-stable branch. backport-0.4 This ticket needs to be backported to the v0.4-stable branch security vulnerability patch Pull requests that address security vulnerabilities and removed backport This issue or PR is for a stable release branch labels Apr 23, 2026
@nevans nevans mentioned this pull request Apr 23, 2026
Merged
nevans added a commit that referenced this pull request Apr 23, 2026
@nevans
📚 Improve documentation of RawData arguments
4075cf8 
Now that fixes for `setquota` (#659), `store`/`uid_store` (#658) have
been merged, there should only be two parameters that still use
`RawData`: search `criteria` and fetch `attr` (and the `UID` variants).

`#search` criteria (when a string) had already been documented, but this
aspect of `#fetch` attr was _not_ previously documented!
nevans added a commit that referenced this pull request Apr 23, 2026
@nevans
📚 Improve documentation of RawData arguments
be32e71 
Now that fixes for `setquota` (#659), `store`/`uid_store` (#658) have
been merged, there should only be two parameters that still use
`RawData`: search `criteria` and fetch `attr` (and the `UID` variants).

`#search` criteria (when a string) had already been documented, but this
aspect of `#fetch` attr was _not_ previously documented!
@nevans nevans mentioned this pull request Apr 23, 2026
Merged
nevans added a commit that referenced this pull request Apr 23, 2026
@nevans
🔀 Merge pull request #662 from ruby/backport/v0.5/raw_data-warnings
6bf02ae 
🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661)
@nevans nevans mentioned this pull request Apr 23, 2026
Merged
nevans added a commit that referenced this pull request Apr 23, 2026
@nevans
🔀 Merge pull request #663 from ruby/backport/v0.4/raw_data-warnings
aec0699 
🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport-0.4 This ticket needs to be backported to the v0.4-stable branch backport-0.5 This ticket needs to be backported to the v0.5-stable branch. bug Something isn't working security vulnerability patch Pull requests that address security vulnerabilities

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nevans