Skip to content

🔒 Fix STARTTLS stripping vulnerability (backports #664, #395, #198)#667

Merged
nevans merged 6 commits intov0.3-stablefrom
backport/v0.3/STARTTLS-stripping
Apr 23, 2026
Merged

🔒 Fix STARTTLS stripping vulnerability (backports #664, #395, #198)#667
nevans merged 6 commits intov0.3-stablefrom
backport/v0.3/STARTTLS-stripping

Conversation

@nevans
Copy link
Copy Markdown
Collaborator

@nevans nevans commented Apr 23, 2026

Also backports #395 to v0.3-stable. This ensures STARTTLS handler errors in the receiver thread are re-raised in the client thread.

Partially backports #198 to v0.3-stable: This copies InvalidResponseError (and an rdoc update to UnknownResponseError). The behavioral changes from that PR have not been copied.

Backports #664 to v0.5-stable. A couple of irrelevant commits were excluded.

Warning

Without this patch, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

This ensures that #starttls either succeeds or raises an exception.

The following cases will raise an exception and close the connection:

  • For #starttls, when another error wasn't raised (e.g: the response errors for NO or BAD) but the handler did not run.
  • For any command, if the server sends a tagged OK response for that command before the command has been fully sent (before the command's own response handlers are added), an exception is raised and the connection is closed.

nevans and others added 6 commits April 23, 2026 14:07
@nevans @rhenium
🍒 pick 257ede0: 🥅 Re-raise #starttls error from receiver thread [ba…
e3a6ba4 
…ckports #395]

Backports #395 to `v0.3-stable`.  The tests required an additional
rescue-and-ignore for the server thread in `starttls_test`, which was
already present in all later branches.

---------

When `start_tls_session` raises an exception, that's caught in the
receiver thread, but not re-raised.  Fortunately, `@sock` will now be
a permanently broken SSLSocket, so I don't think this can lead to
accidentally using an insecure connection.

Even so, `#starttls` should disconnect the socket and re-raise the error
immediately.

Failing test case was provided by @rhenium in #394.

Co-authored-by: Kazuki Yamaguchi <k@rhe.jp>
@nevans
🍒 pick 609acd9: 🥅 Add new InvalidResponseError exception class [bac…
2068d46 
…kport #198]

This copies the InvalidResponseError from #198 and the rdoc update to
UnknownResponseError.  The behavioral changes from that PR have _not_
been copied.
@nevans
🍒 pick 46636ca: ❌🔒 Add failing test for STARTTLS stripping [backport #…
f96ab6c 
…664]

I'm putting this in its own commit to simplify testing across backports.
Also, I'm taking a "belt-and-suspenders" approach, and I'm going to test
that either of the two fixes passes the tests.
@nevans
🍒 pick 62eea6f: 🔒🥅 Ensure STARTTLS tagged response was handled [backp…
d16e994 
…ort #664]

Taking a "belt-and-suspenders" approach to a STARTTLS stripping attack:

This handles `STARTTLS` as a special-case: if the `STARTTLS` handler
did not run, for _whatever_ reason, an exception _must_ be raised and
the connection dropped.

_No_ command should ever receive a tagged `OK` prior to completely
sending the command.  But `STARTTLS` is security-sensitive enough to
warrant this special-case handler.
@nevans
🍒 pick 24d5c77: 🔒🥅 Handle tagged "OK" to incomplete command [backport #…
6b2fda5 
…664]

Taking a "belt-and-suspenders" approach:

This is a potential problem for any command which registers a response
handler: a malicious server can easily guess what the next tag will be,
and send an `OK` response _before_ the client the response handler is
attached.

`STARTTLS` is an extreme example of this issue: if the `STARTTLS`
handler does not run, then `#starttls` will not start the TLS session,
and the connection is not secured, _but no error is raised._

We should _also_ attach the response handler before sending the `CRLF`,
but that is neither necessary (the response handler will added before
the `synchronize` mutex is unlocked) nor sufficient (the fake `OK` can
be sent _much_ earlier).

On the other hand, it _is_ okay for the server to send an error tagged
response (`NO` or `BAD`), before the sending the command has completed.
@nevans
✅ Block incompatible rdoc version
ceeb92a 
rdoc 7.2.0 lists >=2.6 as it's required ruby version, but it isn't
tested in CI, and it is broken.  See ruby/rdoc#1683.
@nevans nevans merged commit 97e2488 into v0.3-stable Apr 23, 2026
38 checks passed
@nevans nevans deleted the backport/v0.3/STARTTLS-stripping branch April 23, 2026 20:01
@nevans nevans added bug Something isn't working backport This issue or PR is for a stable release branch security vulnerability patch Pull requests that address security vulnerabilities labels Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport This issue or PR is for a stable release branch bug Something isn't working security vulnerability patch Pull requests that address security vulnerabilities

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nevans