rjk at greenend.org.uk
Sat Jul 11 09:32:01 UTC 2015
On 2015-07-10 20:46, Julien ÉLIE wrote:
>>> - Malformed From: header with POST -> could you please tell what is the
>>> malformed header you tried? I think nnrpd should enforce a valid
>>> syntax, so this one is a real bug.
>> This is:
>> DEBUG:nntpbits.ClientConnection:00000000 SEND b'From: @example.com'
> If I send "From: a at b", nnrpd complains:
> 441 From: address not in Internet syntax
> so you're right that "From: @example.com" should also be rejected.
> Is it the only pattern you found that needs fixing? (empty local part in the address)
I didn't try to find other possibilities. I'd rather use AFL to attempt
to explore this in more detail, i.e. instead of trying to use my limited
human brain to guess what might or might not be wrongly accepted l-)
>>> - 435/438/439 instead of 501 to reject articles sent via
>>> IHAVE/CHECK/TAKETHIS is the right legacy behaviour. Doing otherwise
>>> would break backwards compatibility so it shouldn't be encouraged right
>>> now. Maybe in the future...
>> The tests here aren't about rejecting articles - they are about
>> malformed message IDs.
> Yes, I understand the test case you provide.
> What I meant is that the IHAVE/CHECK/TAKETHIS commands were not supposed to send 501 responses in previous versions of NNTP so backwards compatibility is broken if we send such answers.
> For the above reasons, I am unsure that the legacy response code for invalid syntax in IHAVE/CHECK/TAKETHIS should be changed. I fear that doing that would cause endless loops in the exchanges between two servers.
That's fine, but I'm going to leave it as an 'expected failure' rather
than success, since it does seem to be an RFC violation.
More information about the inn-workers