aboutsummaryrefslogtreecommitdiffstats
path: root/lib/Net/IMAP
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-08-03 20:51:42 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-08-03 20:51:42 +0200
commit531e27c2dfd67b4ad600c2ad5e13e608a75f04d8 (patch)
treed669f8caf9c795d88ce3e72736157901dbcaec15 /lib/Net/IMAP
parent887526e77f7a3b707c53457b076d098a1edefeb7 (diff)
parentfe5501d4bb4c7c6365ceb009ea715356cca27a50 (diff)
Merge tag 'upstream/0.5.2' into debian
Upstream version 0.5.2
Diffstat (limited to 'lib/Net/IMAP')
-rw-r--r--lib/Net/IMAP/InterIMAP.pm19
1 files changed, 17 insertions, 2 deletions
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 1bff06e..b01e1a9 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -464,6 +464,7 @@ sub new($%) {
$self->logger('S: xxx ', $IMAP_text);
$self->{debug} = $dbg;
}
+ $self->{_STATE} = 'AUTH';
unless ($IMAP_text =~ /\A\Q$IMAP_cond\E \[CAPABILITY /) {
# refresh the CAPABILITY list since the previous one had only pre-login capabilities
@@ -471,7 +472,15 @@ sub new($%) {
$self->capabilities();
}
}
- $self->{_STATE} = 'AUTH';
+ elsif ($IMAP_cond eq 'PREAUTH') {
+ if ($self->{type} eq 'imap' and $self->{STARTTLS} != 0) {
+ $self->fail("PREAUTH greeting on plaintext connection? MiTM in action? Aborting, set \"STARTTLS = NO\" to ignore.");
+ }
+ $self->{_STATE} = 'AUTH';
+ }
+ else {
+ $self->panic();
+ }
# Don't send the COMPRESS command before STARTTLS or AUTH, as per RFC 4978
if ($self->{compress} // 1 and
@@ -506,6 +515,7 @@ sub new($%) {
: ($self->{enable});
if (@extensions) {
$self->fail("Server did not advertise ENABLE (RFC 5161) capability.") unless $self->_capable('ENABLE');
+ $self->fail("Server did not advertise $_ capability.") foreach grep { !$self->_capable($_) } @extensions;
$self->_send('ENABLE '.join(' ',@extensions));
my @enabled = @{$self->{_ENABLED} // []};
$self->fail("Couldn't ENABLE $_") foreach
@@ -1653,6 +1663,11 @@ sub _start_ssl($$) {
my $ctx = Net::SSLeay::CTX_new() or $self->panic("Failed to create SSL_CTX $!");
my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
+ if (defined $self->{_OUTBUF} and $self->{_OUTBUF} ne '') {
+ $self->warn("Truncating non-empty output buffer (unauthenticated response injection?)");
+ undef $self->{_OUTBUF};
+ }
+
$self->{SSL_protocols} //= q{!SSLv2 !SSLv3 !TLSv1 !TLSv1.1};
my ($proto_include, $proto_exclude) = (0, 0);
foreach (split /\s+/, $self->{SSL_protocols}) {
@@ -1679,7 +1694,7 @@ sub _start_ssl($$) {
Net::SSLeay::CTX_set_mode($ctx,
Net::SSLeay::MODE_ENABLE_PARTIAL_WRITE() |
Net::SSLeay::MODE_ACCEPT_MOVING_WRITE_BUFFER() |
- Net::SSLeay::MODE_AUTO_RETRY() | # don't fail SSL_read on renegociation
+ Net::SSLeay::MODE_AUTO_RETRY() | # don't fail SSL_read on renegotiation
Net::SSLeay::MODE_RELEASE_BUFFERS() );
if (defined (my $ciphers = $self->{SSL_cipherlist})) {