v0.6.4

[nevans]

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

Warning

Without #664, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

Important

Argument validation is significantly improved. Several command injection vulnerabilities have been fixed:
#657 fixes a CRLF/command injection vulnerability for Symbol arguments.
#658 fixes a CRLF/command injection vulnerability for the attr argument to #store/#uid_store.
#659 fixes a CRLF/command injection vulnerability for the storage_limit argument to #setquota.
#660 fixes a CRLF/command injection vulnerability for RawData, which is used by:

• #search and #uid_search send criteria as raw data, when it is a String
• #fetch and #uid_fetch send attr as raw data, when it is a String.
  When attr is an Array, its String members are sent as raw data.

Caution

RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

Note

Two denial of service vectors have been addressed. These should only be relevant when connecting to an untrusted hostile server (or without TLS).

#642 fixes quadratic time complexity when reading large responses containing many string literals.
#654 adds a configurable max_iterations count for SCRAM-* authentication.

Warning

The default ScramAuthenticator#max_iterations is 2**31 - 1 (max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers. It must be explicitly configured by the user.

Breaking Changes

• ⚡ ResponseReader memoizes Config#max_response_size in ⚡ Much faster ResponseReader performance #642.
  Changes to #max_response_size take effect once per response, rather than once per IO#read.
  NOTE: It is not expected that this will affect any current usage. See the PR for details.

Added

• ✨ Support BINARY extention to #append (RFC3516) by @nevans in ✨ Support BINARY extention to #append (RFC3516)  #616
• ✨ Support LITERAL+ and LITERAL- non-synchronizing literals (RFC7888) by @nevans in ✨ Support LITERAL+ and LITERAL- non-synchronizing literals (RFC7888) #649
• ⚡ Much faster ResponseReader performance by @nevans in ⚡ Much faster ResponseReader performance #642
• 🔒 Add ScramAuthenticator#max_iterations by @nevans in 🔒 Add ScramAuthenticator#max_iterations #654
• 🏷️ Add number64 and nz-number64 to NumValidator by @nevans in 🏷️ Add number64 and nz-number64 to NumValidator #625
• ♻️ Add MailboxQuota#quota_root alias by @nevans in 📚️ Fix QUOTA documentation, ✅ Test #setquota, ♻️ Add MailboxQuota#quota_root alias #636
• 🔍 Simplify Net::IMAP#inspect with basic state by @nevans in 🔍 Simplify Net::IMAP#inspect with basic state #612
• 🥅 Add ResponseParseError#parser_methods (and override #==) by @nevans in 🥅 Add ResponseParseError#parser_methods (and override #==) #615

Fixed

• 🔒 Fix STARTTLS stripping vulnerability in 🔒 Fix STARTTLS stripping vulnerability #664, reported by @Masamuneee
• Argument validation, reported by @manunio
  • 🔒️ Strictly validate symbol (\flag) arguments in 🔒️ Strictly validate symbol (\flag) arguments #657
  • 🔒️ Validate and send STORE attr as an atom in 🔒️ Validate and send STORE attr as an atom #658
  • 🔒 Validate #setquota storage limit argument in 🔒 Validate #setquota storage limit argument #659
  • 🔒 Validate RawData for CRLF injection in 🔒🐛 Validate RawData and wait to continue literals #660
  • 📚 Improve documentation of RawData arguments in 📚 Improve documentation of RawData arguments #661
• 🔒 Add ScramAuthenticator#max_iterations in 🔒 Add ScramAuthenticator#max_iterations #654, reported by @Masamuneee
• 🥅 Successfully parse invalid response code data by @nevans in 🥅 Successfully parse invalid response code data #614
• Fix JRuby SSL connection failure: use SSLContext#setup instead of #freeze by @idahomst in Fix JRuby SSL connection failure: use SSLContext#setup instead of freeze #627
• 🐛 Fix InvalidResponseError in #get_tagged_response by @nevans in 🐛 Fix InvalidResponseError in #get_tagged_response #633
• Pass an Exception to #raise by @eregon in Pass an Exception to #raise #643
• 🐛 Fix empty SearchResult#to_sequence_set in 🐛 Fix empty SearchResult#to_sequence_set #644, reported by @Quintasan
• 🐛 Wait to continue RawData literals by @nevans in 🔒🐛 Validate RawData and wait to continue literals #660

Documentation

• 📚 Fix rdoc 7.2 compatibility (section bugfix) by @nevans in 📚 Fix rdoc 7.2 compatibility (section bugfix) #617
• 📚 Switch back to rdoc's darkfish generator (🚧TMP) by @nevans in 📚 Switch back to rdoc's darkfish generator (🚧TMP) #618
• 📚 Use .document and .rdoc_options files, where possible by @nevans in 📚 Use .document and .rdoc_options files, where possible #619
• Update README example: Expunge is implicit in MOVE by @sebbASF in Update README example: Expunge is implicit in MOVE #623
• 📚️ Fix QUOTA documentation by @nevans in 📚️ Fix QUOTA documentation, ✅ Test #setquota, ♻️ Add MailboxQuota#quota_root alias #636
• 📚 Minor documentation fixes by @nevans in 📚 Minor documentation fixes #638
• 📚 Improve documentation of RawData arguments by @nevans in 📚 Improve documentation of RawData arguments #661

Other Changes

• Handle deep response recursion as ResponseParseError by @Masamuneee in Handle deep response recursion as ResponseParseError #629

Miscellaneous

• ✅ Fix typo in FakeServer (tests only) by @nevans in ✅ Fix typo in FakeServer (tests only) #620
• ⬆️ Bump step-security/harden-runner from 2.14.2 to 2.15.0 by @dependabot[bot] in ⬆️ Bump step-security/harden-runner from 2.14.2 to 2.15.0 #621
• Bump step-security/harden-runner from 2.15.0 to 2.15.1 by @dependabot[bot] in Bump step-security/harden-runner from 2.15.0 to 2.15.1 #626
• ⬆️ Bump step-security/harden-runner from 2.15.1 to 2.16.0 by @dependabot[bot] in ⬆️ Bump step-security/harden-runner from 2.15.1 to 2.16.0 #628
• ⬆️ Bump actions/configure-pages from 5 to 6 by @dependabot[bot] in ⬆️ Bump actions/configure-pages from 5 to 6 #635
• ✅ Test #setquota by @nevans in 📚️ Fix QUOTA documentation, ✅ Test #setquota, ♻️ Add MailboxQuota#quota_root alias #636
• ⬆️ Bump actions/deploy-pages from 4 to 5 by @dependabot[bot] in ⬆️ Bump actions/deploy-pages from 4 to 5 #634
• ⬆️ Bump step-security/harden-runner from 2.16.0 to 2.17.0 by @dependabot[bot] in ⬆️ Bump step-security/harden-runner from 2.16.0 to 2.17.0 #639
• Test TruffleRuby release in CI for improved stability by @eregon in Test TruffleRuby release in CI for improved stability #640
• ⬆️ Bump actions/upload-pages-artifact from 4 to 5 by @dependabot[bot] in ⬆️ Bump actions/upload-pages-artifact from 4 to 5 #646
• ⬆️ Bump step-security/harden-runner from 2.17.0 to 2.19.0 by @dependabot[bot] in ⬆️ Bump step-security/harden-runner from 2.17.0 to 2.19.0 #647

New Contributors

• @sebbASF made their first contribution in Update README example: Expunge is implicit in MOVE #623
• @idahomst made their first contribution in Fix JRuby SSL connection failure: use SSLContext#setup instead of freeze #627
• @Masamuneee made their first contribution in Handle deep response recursion as ResponseParseError #629
• @eregon made their first contribution in Test TruffleRuby release in CI for improved stability #640

Full Changelog: v0.6.3...v0.6.4

---

This discussion was created from the release v0.6.4.