Skip to content

Commit 89e31ba

Browse files
committed
🍒 pick e224fd6: 🥅 Validate that Atom and Flag are not empty
`Atom` and `Flag` have only been used for argument validation since v0.6.4 (as well as v0.5.14 and v0.4.24), and they validated for absense of `atom-specials`. But they failed to check that the strings are not empty. While this could be used to create syntax errors, I don't believe it amounts a security vulnerability. The result would be no different from any other `BAD` server response, which an application must be prepared to handle.
1 parent 4063bc1 commit 89e31ba

2 files changed

Lines changed: 4 additions & 0 deletions

File tree

lib/net/imap/command_data.rb

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -241,6 +241,8 @@ def validate
241241
or raise DataFormatError, "#{self.class} must be ASCII only"
242242
data.match?(ResponseParser::Patterns::ATOM_SPECIALS) \
243243
and raise DataFormatError, "#{self.class} must not contain atom-specials"
244+
data.empty? \
245+
and raise DataFormatError, "#{self.class} must not be empty"
244246
end
245247

246248
def send_data(imap, tag)

test/net/imap/test_command_data.rb

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,7 @@ def send_data(*data, tag: TAG)
8585
"with_quoted_specials\\",
8686
"with\rCR",
8787
"with\nLF",
88+
"", # empty
8889
].each do |symbol|
8990
assert_raise_with_message(Net::IMAP::DataFormatError, /\batom\b/i) do
9091
imap.send_data Atom[symbol]
@@ -116,6 +117,7 @@ def send_data(*data, tag: TAG)
116117
:"with_quoted_specials\\",
117118
:"with\rCR",
118119
:"with\nLF",
120+
:"", # empty
119121
].each do |symbol|
120122
assert_raise_with_message(Net::IMAP::DataFormatError, /\bflag\b/i) do
121123
imap.send_data Flag[symbol]

0 commit comments

Comments
 (0)