🔒🐛 Validate RawData and wait to continue literals#660
Merged
Conversation
This parses a RawData string into an array of `text`, `literal`, and
`literal8` parts. This fixes embedded literals so they correctly wait
for server continuation request before sending. Non-synchronizing
literals are also parsed correctly.
This adds `Net::IMAP::RawText` which sends verbatim (like `RawData` did
previously), and handles `text` validations:
* `text` can't contain CR, LF, or NULL
* `text` must be ASCII compatible or valid UTF-8
The existing `Literal` and `Literal8` classes handle literal validation:
* `literal` can't contain NULL byte, but `literal8` can
Additionally, `RawData` validates that:
* embedded literal bytesize must be <= remaining string bytesize
* final `text` cannot end with `{number}` (in case a `CRLF` comes after)
This does _not_ make RawData arguments safe from every type of injection
attack. However, without losing any significant flexibility, this
_does_ prevent unescaped `CRLF` from creating a _command_ injection.
nevans
added
bug
nevans
added
the
security vulnerability patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
This fixes a CRLF/command injection vulnerability for
RawData, which is used by:#searchand#uid_searchsendcriteriaas raw data, when it is a String#fetchand#uid_fetchsendattras raw data, when it is a String.When
attris an Array, its String members are sent as raw data.Caution
RawDatadoes not defend against other forms of argument injection! It is an intentionally low-level API.This parses a RawData string into an array of
text,literal, andliteral8parts. In addition to blocking the CRLF injection vulnerability, this also fixes embedded literals so they correctly wait for server continuation request before sending. Binary and Non-synchronizing literals are also parsed and sent correctly.This adds
Net::IMAP::RawTextwhich sends verbatim (likeRawDatadid previously), and handlestextvalidations:textcan't contain CR, LF, or NULLtextmust be ASCII compatible or valid UTF-8The existing
LiteralandLiteral8classes handle literal validation:literalcan't contain NULL byte, butliteral8canAdditionally,
RawDatavalidates that:textcannot end with{number}(in case aCRLFcomes after)This does not make RawData arguments safe from every type of injection attack. However, without losing any significant flexibility, this does prevent unescaped
CRLFfrom creating a command injection.