-
Notifications
You must be signed in to change notification settings - Fork 938
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle too long dates passed to DateTime.parse #1469
base: master
Are you sure you want to change the base?
Conversation
lib/mail/fields/common_date_field.rb
Outdated
def with_invalid_date_time_error_handling(&block) | ||
yield | ||
rescue ArgumentError => e | ||
raise unless e.message =~ /\A(invalid date|string length \(\d+\) exceeds the limit \d+)\z/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps this should live in Mail::Utilities
so it's used from here and from ReceivedElement
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, please move it into utilities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall nice catch, thanks, please move to utility as you suggested
lib/mail/fields/common_date_field.rb
Outdated
def with_invalid_date_time_error_handling(&block) | ||
yield | ||
rescue ArgumentError => e | ||
raise unless e.message =~ /\A(invalid date|string length \(\d+\) exceeds the limit \d+)\z/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, please move it into utilities.
@@ -27,7 +27,7 @@ def to_s(*args) | |||
def datetime_for(received) | |||
::DateTime.parse("#{received.date} #{received.time}") | |||
rescue ArgumentError => e | |||
raise e unless e.message == 'invalid date' | |||
raise unless e.message =~ /\A(invalid date|string length \(\d+\) exceeds the limit \d+)\z/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's call the utility method you will create. One place to keep this up to date makes sense.
Thanks a lot for the review, @mikel! I'll get these changes implemented this week, I hope. |
Since Ruby 3.0.3, this method raises an ArgumentError with a different message from the invalid date message, as mitigation for CVE-2021-41817. https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ Example: ArgumentError: string length (150) exceeds the limit 128 In this case we should just return nil, like when the date itself is invalid.
Implemented the changes requested 😊 |
Unfortunately, that is still an issue in 2024 with Mail 2.8.1 on 3.3.0. That exception also breaks the POP functionality, as it crashes without option to rescue the individual mail:
Any chance, this PR gets merged? |
Since Ruby 3.0.3, this method raises an
ArgumentError
with a different message from the invalid date message, as mitigation for CVE-2021-41817.This PR handles this error to return
nil
, just like when the date is invalid.