Reject CR/LF in POP3 command arguments#31
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR prevents POP3 command injection by rejecting any CR or LF characters in command lines before writing to the socket, specifically protecting USER, PASS, and APOP argument interpolation.
Changes:
- Add a
validate_lineguard inNet::POP3Command#getokand#get_responseto raiseArgumentErrorif the command line contains\ror\n. - Add regression tests ensuring
Net::POP3#startrejects CRLF injection attempts via username/password.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| lib/net/pop.rb | Adds validate_line and applies it to all POP3 command writes via getok/get_response to prevent CR/LF injection. |
| test/net/pop/test_pop.rb | Adds tests that assert ArgumentError is raised when CRLF is present in POP3 login arguments. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The account and password supplied to USER, PASS, and APOP were interpolated into command lines and written to the socket without neutralizing CR/LF, so an application forwarding untrusted input as login arguments could inject arbitrary POP3 commands. This mirrors the validate_line guard already present in net-smtp and net-ftp. As with the net-http change, the affected inputs come from the application itself, so this is treated as a bug rather than a vulnerability. Reported-by: tonghuaroot <[email protected]> Co-Authored-By: Claude Fable 5 <[email protected]>
hsbt
force-pushed
the
reject-crlf-in-commands
branch
from
d1a8153 to
6de982d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The account and password passed to USER, PASS, and APOP were interpolated into command lines without rejecting CR/LF, so an application forwarding untrusted input as login arguments could inject arbitrary POP3 commands. Add the same validate_line guard already present in net-smtp and net-ftp.
As with ruby/net-http#301, these are ordinary bugs rather than vulnerabilities, since the affected inputs are supplied by the application itself.