From 847748d5df150d6992d4d19c26bff6c05a109f17 Mon Sep 17 00:00:00 2001 From: nick evans Date: Fri, 22 May 2026 15:27:20 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=A5=85=20Validate=20that=20Atom=20and=20F?= =?UTF-8?q?lag=20are=20not=20empty?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `Atom` and `Flag` have only been used for argument validation since v0.6.4 (as well as v0.5.14 and v0.4.24), and they validated for absense of `atom-specials`. But they failed to check that the strings are not empty. While this could be used to create syntax errors, I don't believe it amounts a security vulnerability. The result would be no different from any other `BAD` server response, which an application must be prepared to handle. --- lib/net/imap/command_data.rb | 2 ++ test/net/imap/test_command_data.rb | 2 ++ 2 files changed, 4 insertions(+) diff --git a/lib/net/imap/command_data.rb b/lib/net/imap/command_data.rb index 7d817430..9a5749b5 100644 --- a/lib/net/imap/command_data.rb +++ b/lib/net/imap/command_data.rb @@ -257,6 +257,8 @@ def validate or raise DataFormatError, "#{self.class} must be ASCII only" data.match?(ResponseParser::Patterns::ATOM_SPECIALS) \ and raise DataFormatError, "#{self.class} must not contain atom-specials" + data.empty? \ + and raise DataFormatError, "#{self.class} must not be empty" end def send_data(imap, tag) diff --git a/test/net/imap/test_command_data.rb b/test/net/imap/test_command_data.rb index 2946ee1f..59419899 100644 --- a/test/net/imap/test_command_data.rb +++ b/test/net/imap/test_command_data.rb @@ -85,6 +85,7 @@ def send_data(*data, tag: TAG) "with_quoted_specials\\", "with\rCR", "with\nLF", + "", # empty ].each do |symbol| assert_raise_with_message(Net::IMAP::DataFormatError, /\batom\b/i) do imap.send_data Atom[symbol] @@ -116,6 +117,7 @@ def send_data(*data, tag: TAG) :"with_quoted_specials\\", :"with\rCR", :"with\nLF", + :"", # empty ].each do |symbol| assert_raise_with_message(Net::IMAP::DataFormatError, /\bflag\b/i) do imap.send_data Flag[symbol]