🔒 Strict base64 decoding of SASL challenges

`unpack("m")` will silently ignore a range of bad data. By adding error handling to authenticate, we can convert those errors into cancellation of the authentication exchange rather than crashing the connection or silently ignoring them.
ruby · Sep 26, 2023 · 82fe814 · 82fe814
1 parent 146ad37
commit 82fe814
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/lib/net/imap.rb b/lib/net/imap.rb
@@ -1253,13 +1253,12 @@ def authenticate(mechanism, *creds, sasl_ir: true, **props, &callback)
       if sasl_ir && capable?("SASL-IR") && auth_capable?(mechanism) &&
           SASL.initial_response?(authenticator)
         response = authenticator.process(nil)
-        cmdargs << (response.empty? ? "=" : [response].pack("m0"))
+        cmdargs << sasl_encode_ir(response)
       end
       result = send_command(*cmdargs) do |resp|
         if resp.instance_of?(ContinuationRequest)
-          challenge = resp.data.text.unpack1("m")
-          response  = authenticator.process(challenge)
-          response  = [response].pack("m0")
+          challenge = sasl_decode resp.data.text
+          response  = sasl_encode authenticator.process challenge
           put_string(response + CRLF)
         end
       end
@@ -1271,6 +1270,16 @@ def authenticate(mechanism, *creds, sasl_ir: true, **props, &callback)
       result
     end
 
+    private
+
+    # RFC-2060 simply used base64 encoding.  RFC-3051 and RFC9051 require empty
+    # strings be replaced with "=".
+    def sasl_encode_ir(str) str.empty? ? "=" : sasl_encode(str) end
+    def sasl_decode(str) str.unpack1("m0") end
+    def sasl_encode(str) [str].pack("m0")  end
+
+    public
+
     # Sends a {LOGIN command [IMAP4rev1 §6.2.3]}[https://www.rfc-editor.org/rfc/rfc3501#section-6.2.3]
     # to identify the client and carries the plaintext +password+ authenticating
     # this +user+.  If successful, the connection enters the "_authenticated_"