Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2.6.x SMTP security: prevent command injection via To/From addresses #1098

Closed
wants to merge 1 commit into from
Closed

2.6.x SMTP security: prevent command injection via To/From addresses #1098

wants to merge 1 commit into from

Conversation

jeremy
Copy link
Collaborator

@jeremy jeremy commented May 9, 2017

#1097 for Mail 2.6

@jeremy
SMTP security: prevent command injection via To/From addresses
c3c7528 
Validate addresses passed as SMTP command arguments to prevent
injection of other SMTP commands. Disallow line breaks and very
long addresses which may cause overflows on some old SMTP servers.

Ruby 2.4 Net::SMTP already disallows addresses that contain newlines.
Enforce this validation in Mail to cover older Ruby versions and
other SMTP implementations that don't validate input.

SMTP injection whitepaper: http://www.mbsd.jp/Whitepaper/smtpi.pdf
Ruby security report: https://hackerone.com/reports/137631
OSVDB entry: https://rubysec.com/advisories/mail-OSVDB-131677
@jeremy jeremy added this to the 2.6.6 milestone May 9, 2017
@jeremy jeremy mentioned this pull request May 9, 2017
Closed
jeremy added a commit that referenced this pull request May 9, 2017
@jeremy
SMTP security: prevent command injection via To/From addresses
37908c3 
Validate addresses passed as SMTP command arguments to prevent
injection of other SMTP commands. Disallow line breaks and very
long addresses which may cause overflows on some old SMTP servers.

Ruby 2.4 Net::SMTP already disallows addresses that contain newlines.
Enforce this validation in Mail to cover older Ruby versions and
other SMTP implementations that don't validate input.

SMTP injection whitepaper: http://www.mbsd.jp/Whitepaper/smtpi.pdf
Ruby security report: https://hackerone.com/reports/137631
OSVDB entry: https://rubysec.com/advisories/mail-OSVDB-131677

Closes #1098
@jeremy jeremy closed this May 9, 2017
@jeremy jeremy deleted the 2-6-smtp-injection branch May 9, 2017 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.6.6
Development

Successfully merging this pull request may close these issues.
1 participant
@jeremy