dxbjavid opened a new pull request, #400: URL: https://github.com/apache/commons-net/pull/400
the low-level sendCommand(command, args) in FTP, POP3, NNTP and SMTP appends the caller-supplied args straight onto the command line before the trailing CRLF, so an embedded CR or LF in something like an FTP path, a POP3 USER/PASS, an NNTP newsgroup or an SMTP reverse path smuggles a second command onto the control connection. i noticed it reading the sendCommand chain after the SimpleSMTPHeader work and it looks like the same CRLF-injection hole, just one layer lower. fix rejects CR/LF inside each command builder with IllegalArgumentException, which is where it belongs since the message is assembled there, and matches the existing header guards. tests cover each protocol. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
