libinterimap: Fix response injection vulnerability after STARTTLS.

For background see https://gitlab.com/muttmua/mutt/-/issues/248 .
author: Guilhem Moulin <guilhem@fripost.org> 2020-08-03 19:20:05 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2020-08-03 20:30:46 +0200
commit: bc43c0d9468a8d50ba141c8a965f9f07ed0456ff (patch)
tree: 4b123c259533ffc118ee4325da726fb2eaecfad9 /tests/starttls-injection/t
parent: bf4175c4f5fa40c5b6385dd728d4e7732833f64c (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/starttls-injection/t b/tests/starttls-injection/t
new file mode 100644
index 0000000..d57aa7a
--- /dev/null
+++ b/tests/starttls-injection/t
@@ -0,0 +1,16 @@
+# Test unauthenticated response injection after the STARTTLS response
+# For background see https://gitlab.com/muttmua/mutt/-/issues/248
+
+env -i USER="remote" HOME="$HOME_remote" "$TESTDIR/imapd" & PID=$!
+trap "ptree_abort $PID" EXIT INT TERM
+
+! interimap --debug || error
+
+# Make sure we show a warning but ignore ignore (unauthenticated) injected responses
+! grep -E 'remote: S: .*[ -]injected$' <"$STDERR" || error "unauthenticated response injection"
+grep -Fx 'remote: WARNING: Truncating non-empty output buffer (unauthenticated response injection?)' <"$STDERR" || error
+
+! grep -Fx 'remote: ERROR: Logins are disabled.' <"$STDERR" || error "injected capability wasn't ignored"
+grep -Fx 'remote: ERROR: Server did not advertise ENABLE (RFC 5161) capability.' <"$STDERR" || error "injected capability wasn't ignored"
+
+# vim: set filetype=sh :
author	Guilhem Moulin <guilhem@fripost.org>	2020-08-03 19:20:05 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2020-08-03 20:30:46 +0200
commit	bc43c0d9468a8d50ba141c8a965f9f07ed0456ff (patch)
tree	4b123c259533ffc118ee4325da726fb2eaecfad9 /tests/starttls-injection/t
parent	bf4175c4f5fa40c5b6385dd728d4e7732833f64c (diff)