Closed blmayer closed 9 months ago
I've written a small test for this here: https://github.com/emersion/go-smtp/tree/smtp-smuggling-test
Could you cherry-pick that commit and make sure that it passes?
Yes.
The test failed due to a timeout. I think scanner.Scan()
doesn't return, as it is expecting the correct end. I added a smaller timeout to that test, and removed the check for an incorrect end, since the server doesn't error out: it is correctly expecting more data.
See if you agree with this.
Ah right, of course. I've pushed another variant of the test which shouldn't cause a timeout.
Cool, much better, I had to adjust the check's text.
For reference, excerpt from the RFC:
The custom of accepting lines ending only in <LF>, as a concession to
non-conforming behavior on the part of some UNIX systems, has proven
to cause more interoperability problems than it solves, and SMTP
server systems MUST NOT do this, even in the name of improved
robustness. In particular, the sequence "<LF>.<LF>" (bare line
feeds, without carriage returns) MUST NOT be treated as equivalent to
<CRLF>.<CRLF> as the end of mail data indication.
Thanks for the fix!
Hi, this should be enough for closing #243. However, since this is a small code change, I did not test anything.