1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when

Browse Source 
CR or LF is included in a line, because they are not allowed in
RFC5321.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55324 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
shugo 2016-06-08 07:06:57 +00:00
parent e5230fba8f
commit 0827a7e52b
3 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
Wed Jun 8 16:03:09 2016 Shugo Maeda <shugo@ruby-lang.org>
* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
CR or LF is included in a line, because they are not allowed in
RFC5321.
Tue Jun 7 21:27:25 2016 Kazuki Yamaguchi <k@rhe.jp> Tue Jun 7 21:27:25 2016 Kazuki Yamaguchi <k@rhe.jp>
* test/rubygems/*_{cert,cert_32}.pem: Regenerate test certificates for * test/rubygems/*_{cert,cert_32}.pem: Regenerate test certificates for

9
lib/net/smtp.rb
View File

@ -926,7 +926,15 @@ module Net
private private
def validate_line(line)
# A bare CR or LF is not allowed in RFC5321.
if /[\r\n]/ =~ line
raise ArgumentError, "A line must not contain CR or LF"
end
end
def getok(reqline) def getok(reqline)
validate_line reqline
res = critical { res = critical {
@socket.writeline reqline @socket.writeline reqline
recv_response() recv_response()
@ -936,6 +944,7 @@ module Net
end end
def get_response(reqline) def get_response(reqline)
validate_line reqline
@socket.writeline reqline @socket.writeline reqline
recv_response() recv_response()
end end

47
test/net/smtp/test_smtp.rb
View File

@ -6,6 +6,8 @@ require 'test/unit'
module Net module Net
class TestSMTP < Test::Unit::TestCase class TestSMTP < Test::Unit::TestCase
class FakeSocket class FakeSocket
attr_reader :write_io
def initialize out = "250 OK\n" def initialize out = "250 OK\n"
@write_io = StringIO.new @write_io = StringIO.new
@read_io = StringIO.new out @read_io = StringIO.new out
@ -51,5 +53,50 @@ module Net
assert smtp.rset assert smtp.rset
end end
def test_mailfrom
sock = FakeSocket.new
smtp = Net::SMTP.new 'localhost', 25
smtp.instance_variable_set :@socket, sock
assert smtp.mailfrom("foo@example.com").success?
assert_equal "MAIL FROM:<foo@example.com>\r\n", sock.write_io.string
end
def test_rcptto
sock = FakeSocket.new
smtp = Net::SMTP.new 'localhost', 25
smtp.instance_variable_set :@socket, sock
assert smtp.rcptto("foo@example.com").success?
assert_equal "RCPT TO:<foo@example.com>\r\n", sock.write_io.string
end
def test_auth_plain
sock = FakeSocket.new
smtp = Net::SMTP.new 'localhost', 25
smtp.instance_variable_set :@socket, sock
assert smtp.auth_plain("foo", "bar").success?
assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string
end
def test_crlf_injection
smtp = Net::SMTP.new 'localhost', 25
smtp.instance_variable_set :@socket, FakeSocket.new
assert_raise(ArgumentError) do
smtp.mailfrom("foo\r\nbar")
end
assert_raise(ArgumentError) do
smtp.mailfrom("foo\rbar")
end
assert_raise(ArgumentError) do
smtp.mailfrom("foo\nbar")
end
assert_raise(ArgumentError) do
smtp.rcptto("foo\r\nbar")
end
end
end end
end end