summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-06-08 07:06:57 +0000
committershugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-06-08 07:06:57 +0000
commit0827a7e52ba3d957a634b063bf5a391239b9ffee (patch)
tree53a744559b70b472515a77a81bff265d9b806ea2
parente5230fba8ff9076e399dccd18ed8449fce19fd6f (diff)
* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
CR or LF is included in a line, because they are not allowed in RFC5321. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55324 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog6
-rw-r--r--lib/net/smtp.rb9
-rw-r--r--test/net/smtp/test_smtp.rb47
3 files changed, 62 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 2a1cb8c115d..768469ea8ed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Wed Jun 8 16:03:09 2016 Shugo Maeda <shugo@ruby-lang.org>
+
+ * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
+ CR or LF is included in a line, because they are not allowed in
+ RFC5321.
+
Tue Jun 7 21:27:25 2016 Kazuki Yamaguchi <k@rhe.jp>
* test/rubygems/*_{cert,cert_32}.pem: Regenerate test certificates for
diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb
index 250293bdbe2..a7130a593b4 100644
--- a/lib/net/smtp.rb
+++ b/lib/net/smtp.rb
@@ -926,7 +926,15 @@ module Net
private
+ def validate_line(line)
+ # A bare CR or LF is not allowed in RFC5321.
+ if /[\r\n]/ =~ line
+ raise ArgumentError, "A line must not contain CR or LF"
+ end
+ end
+
def getok(reqline)
+ validate_line reqline
res = critical {
@socket.writeline reqline
recv_response()
@@ -936,6 +944,7 @@ module Net
end
def get_response(reqline)
+ validate_line reqline
@socket.writeline reqline
recv_response()
end
diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb
index 0edb3419d56..3bcceb6fc5b 100644
--- a/test/net/smtp/test_smtp.rb
+++ b/test/net/smtp/test_smtp.rb
@@ -6,6 +6,8 @@ require 'test/unit'
module Net
class TestSMTP < Test::Unit::TestCase
class FakeSocket
+ attr_reader :write_io
+
def initialize out = "250 OK\n"
@write_io = StringIO.new
@read_io = StringIO.new out
@@ -51,5 +53,50 @@ module Net
assert smtp.rset
end
+
+ def test_mailfrom
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.mailfrom("foo@example.com").success?
+ assert_equal "MAIL FROM:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_rcptto
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.rcptto("foo@example.com").success?
+ assert_equal "RCPT TO:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_auth_plain
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.auth_plain("foo", "bar").success?
+ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string
+ end
+
+ def test_crlf_injection
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, FakeSocket.new
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\r\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\rbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.rcptto("foo\r\nbar")
+ end
+ end
end
end