From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id AC71D1FA09 for ; Wed, 10 Jun 2020 07:05:19 +0000 (UTC) From: Eric Wong To: meta@public-inbox.org Subject: [PATCH 02/82] nntpd: restrict allowed newsgroup names Date: Wed, 10 Jun 2020 07:03:59 +0000 Message-Id: <20200610070519.18252-3-e@yhbt.net> In-Reply-To: <20200610070519.18252-1-e@yhbt.net> References: <20200610070519.18252-1-e@yhbt.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: We'll be using newsgroup names as mailbox names for IMAP, too, so ensure we don't send wonky characters in responses. I doubt this affects any real-world instances, but a BOFH could choose strange names to cause grief for clients. --- lib/PublicInbox/NNTPD.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/PublicInbox/NNTPD.pm b/lib/PublicInbox/NNTPD.pm index 451f4d4183b..b8ec84ed6b0 100644 --- a/lib/PublicInbox/NNTPD.pm +++ b/lib/PublicInbox/NNTPD.pm @@ -41,6 +41,12 @@ sub refresh_groups () { if (ref $ngname) { warn 'multiple newsgroups not supported: '. join(', ', @$ngname). "\n"; + # Newsgroup name needs to be compatible with RFC 3977 + # wildmat-exact and RFC 3501 (IMAP) ATOM-CHAR. + # Leave out a few chars likely to cause problems or conflicts: + # '|', '<', '>', ';', '#', '$', '&', + } elsif ($ngname =~ m![^A-Za-z0-9/_\.\-\~\@\+\=:]!) { + warn "newsgroup name invalid: `$ngname'\n"; } elsif ($ng->nntp_usable) { # Only valid if msgmap and search works $new->{$ngname} = $ng;