Skip Menu |

This queue is for tickets about the Net-IMAP-Simple CPAN distribution.

Report information
The Basics
Id: 33925
Status: resolved
Priority: 0/
Queue: Net-IMAP-Simple
People
Owner: jettero [...] cpan.org
Requestors: jik [...] kamens.brookline.ma.us
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 1.17
Fixed in: (no value)

History Show all quoted text
  Sun Mar 09 10:08:20 2008 jik [...] kamens.brookline.ma.us - Ticket created
Subject: Ignores response length and interprets body text as command result!
Net::IMAP::Simple ignores the octet length sent by the server at the beginning of a FETCH response, and merely looks for the expected status line at the end of the response to determine when all the data has been received. Somebody just sent me a spam message with a bunch of garbage hidden in it, including a whole ton of strings that look like IMAP server response lines, one of which just happened to match the response line that Net::IMAP::Simple was looking for, so it stopped downloading the message at that point and hence the stream between it and the server was corrupted. The stuff in the spam message was probably an intentional effort to break IMAP clients. The fact that Net::IMAP::Simple was indeed broken by it indicates that it is vulnerable to this denial-of-service attack, and there may be security implications as well.
  Sun Mar 09 10:41:53 2008 jik [...] kamens.brookline.ma.us - Correspondence added
Subject: Re: [rt.cpan.org #33925] AutoReply: Ignores response length and interprets body text as command result!
Date: Sun, 09 Mar 2008 10:41:35 -0400
To: bug-Net-IMAP-Simple [...] rt.cpan.org
From: Jonathan Kamens <jik [...] kamens.brookline.ma.us>
Aha. I see upon further examination that Net::IMAP::Simple 1.17 attempts to deal with multiline responses but fails because it doesn't take into account the fact that lines from the server end with CRLF, not LF. It uses the end-of-line regexp operator ($) on such a line, but it fails because Perl considers the CR part of the line and hence the regexp does not match. Attached patch fixes this. jik
--- Simple.pm~ 2006-10-11 12:23:45.000000000 -0400 +++ Simple.pm 2008-03-09 10:38:04.000000000 -0400 @@ -868,7 +868,7 @@ while ( $res = $sock->getline ) { $self->_debug(caller, __LINE__, '_process_cmd', $res) if $self->{debug}; - if ( $res =~ /^\*.*\{(\d+)\}$/ ) { + if ( $res =~ /^\*.*\{(\d+)\}\r\n/ ) { $args{process}->($res); $args{process}->($_) foreach $self->_read_multiline($sock, $1); } else {
  Fri Jun 19 13:28:35 2009 jettero [...] cpan.org - Taken
  Sun Jun 21 08:01:37 2009 jettero [...] cpan.org - Correspondence added
I've spent the last week clearing all the tickets for net-imap-simple, which I just recently inherited. I saved this ticket for last because it sounded like fun (or at least a little challenging). Imagine how surprised I was to find that you had already solved it with a patch. Hehe. Applied. (There's a test to prove this works now.) -- If riding in an airplane is flying, then riding in a boat is swimming. 109 jumps, 44.4 minutes of freefall, 85.0 freefall miles.
  Sun Jun 21 08:01:39 2009 The RT System itself - Status changed from 'new' to 'open'
  Sun Jun 21 08:01:47 2009 jettero [...] cpan.org - Status changed from 'open' to 'resolved'