Skip to content

Handle too long dates passed to DateTime.parse #1469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Handle too long dates passed to DateTime.parse #1469

wants to merge 1 commit into from

Conversation

@rosa
Copy link
Contributor

@rosa rosa commented Dec 20, 2021

Since Ruby 3.0.3, this method raises an ArgumentError with a different message from the invalid date message, as mitigation for CVE-2021-41817.

ArgumentError: string length (150) exceeds the limit 128

This PR handles this error to return nil, just like when the date is invalid.

rosa
rosa commented Jan 3, 2022
View reviewed changes
lib/mail/fields/common_date_field.rb Outdated
def with_invalid_date_time_error_handling(&block)
yield
rescue ArgumentError => e
raise unless e.message =~ /\A(invalid date|string length \(\d+\) exceeds the limit \d+)\z/
Copy link
Contributor Author

@rosa rosa Jan 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps this should live in Mail::Utilities so it's used from here and from ReceivedElement.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please move it into utilities.

@gbp gbp mentioned this pull request Mar 4, 2022
Closed
mikel
mikel requested changes Dec 3, 2022
View reviewed changes
Copy link
Owner

@mikel mikel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall nice catch, thanks, please move to utility as you suggested

lib/mail/fields/common_date_field.rb Outdated
def with_invalid_date_time_error_handling(&block)
yield
rescue ArgumentError => e
raise unless e.message =~ /\A(invalid date|string length \(\d+\) exceeds the limit \d+)\z/
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please move it into utilities.

lib/mail/elements/received_element.rb Outdated
::DateTime.parse("#{received.date} #{received.time}")
rescue ArgumentError => e
raise e unless e.message == 'invalid date'
raise unless e.message =~ /\A(invalid date|string length \(\d+\) exceeds the limit \d+)\z/
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's call the utility method you will create. One place to keep this up to date makes sense.

@mikel mikel added this to the 2.9.0 milestone Dec 3, 2022
@rosa
Copy link
Contributor Author

rosa commented Dec 6, 2022

Thanks a lot for the review, @mikel! I'll get these changes implemented this week, I hope.

@rosa
Handle too long dates passed to DateTime.parse
51268d5 
Since Ruby 3.0.3, this method raises an ArgumentError
with a different message from the invalid date message,
as mitigation for CVE-2021-41817.
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/

Example:
  ArgumentError: string length (150) exceeds the limit 128

In this case we should just return nil, like when the date itself is
invalid.
@rosa
Copy link
Contributor Author

rosa commented Dec 8, 2022

Implemented the changes requested 😊

@rosa rosa requested a review from mikel December 12, 2022 09:41
@mantas mantas mentioned this pull request Apr 24, 2023
Closed
@zealot128
Copy link

Unfortunately, that is still an issue in 2024 with Mail 2.8.1 on 3.3.0.

That exception also breaks the POP functionality, as it crashes without option to rescue the individual mail:

mails = Mail.all delete_after_find: true

ArgumentError: string length (226) exceeds the limit 128 (ArgumentError)

          datetime = ::DateTime.parse(stripped)
                                      ^^^^^^^^
  from mail (2.8.1) lib/mail/fields/common_date_field.rb:17:in `parse'
  from mail (2.8.1) lib/mail/fields/common_date_field.rb:17:in `normalize_datetime'
  from mail (2.8.1) lib/mail/fields/common_date_field.rb:31:in `initialize'
  from mail (2.8.1) lib/mail/fields/common_field.rb:12:in `new'
  from mail (2.8.1) lib/mail/fields/common_field.rb:12:in `parse'

Any chance, this PR gets merged?
For now, we need manual intervention and delete the mail from the inbox.

@pdg137
Copy link

pdg137 commented Sep 21, 2025
edited
Loading

This is still an issue on the current master branch d1d65b3. A long date field will crash the mail gem. I'm working around it with a monkeypatch like this:

require 'mail/fields/common_date_field' # must require this before overriding the method below

module Mail
  class CommonDateField < NamedStructuredField
    def initialize(value = nil, charset = nil)
      value = value && value[..127] # fix bug with long date fields, see https://github.com/mikel/mail/pull/1469
      super self.class.normalize_datetime(value), charset
    end
  end
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikel mikel Awaiting requested review from mikel

Requested changes must be addressed to merge this pull request.

Assignees

@rosa rosa

Labels

Compatibility Header Fields More Work Needed

Projects

None yet

Milestone

2.9.0

Development

Successfully merging this pull request may close these issues.

4 participants

@rosa @zealot128 @pdg137 @mikel