Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix StartTLS stripping vulnerability
Reported by Alexandr Savca in https://hackerone.com/reports/1178562

Co-authored-by: Shugo Maeda <shugo@ruby-lang.org>
  • Loading branch information
2 people authored and unak committed Jul 7, 2021
1 parent 3ca1399 commit a21a3b7
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 2 deletions.
8 changes: 7 additions & 1 deletion lib/net/imap.rb
Expand Up @@ -1216,12 +1216,14 @@ def get_tagged_response(tag, cmd)
end
resp = @tagged_responses.delete(tag)
case resp.name
when /\A(?:OK)\z/ni
return resp
when /\A(?:NO)\z/ni
raise NoResponseError, resp
when /\A(?:BAD)\z/ni
raise BadResponseError, resp
else
return resp
raise UnknownResponseError, resp
end
end

Expand Down Expand Up @@ -3717,6 +3719,10 @@ class BadResponseError < ResponseError
class ByeResponseError < ResponseError
end

# Error raised upon an unknown response from the server.
class UnknownResponseError < ResponseError
end

RESPONSE_ERRORS = Hash.new(ResponseError)
RESPONSE_ERRORS["NO"] = NoResponseError
RESPONSE_ERRORS["BAD"] = BadResponseError
Expand Down
31 changes: 31 additions & 0 deletions test/net/imap/test_imap.rb
Expand Up @@ -127,6 +127,16 @@ def test_starttls
imap.disconnect
end
end

def test_starttls_stripping
starttls_stripping_test do |port|
imap = Net::IMAP.new("localhost", :port => port)
assert_raise(Net::IMAP::UnknownResponseError) do
imap.starttls(:ca_file => CA_FILE)
end
imap
end
end
end

def start_server
Expand Down Expand Up @@ -784,6 +794,27 @@ def starttls_test
end
end

def starttls_stripping_test
server = create_tcp_server
port = server.addr[1]
start_server do
sock = server.accept
begin
sock.print("* OK test server\r\n")
sock.gets
sock.print("RUBY0001 BUG unhandled command\r\n")
ensure
sock.close
server.close
end
end
begin
imap = yield(port)
ensure
imap.disconnect if imap && !imap.disconnected?
end
end

def create_tcp_server
return TCPServer.new(server_addr, 0)
end
Expand Down
2 changes: 1 addition & 1 deletion version.h
Expand Up @@ -2,7 +2,7 @@
# define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR
#define RUBY_VERSION_TEENY 4
#define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
#define RUBY_PATCHLEVEL 190
#define RUBY_PATCHLEVEL 191

#define RUBY_RELEASE_YEAR 2021
#define RUBY_RELEASE_MONTH 7
Expand Down

0 comments on commit a21a3b7

Please sign in to comment.