nntpd: restrict allowed newsgroup names

We'll be using newsgroup names as mailbox names for IMAP,
too, so ensure we don't send wonky characters in responses.

I doubt this affects any real-world instances, but a BOFH could
choose strange names to cause grief for clients.

diff --git a/lib/PublicInbox/NNTPD.pm b/lib/PublicInbox/NNTPD.pm
index 451f4d4183bf52875e5f3e800f269c331ccffa14..b8ec84ed6b0e24490c71cad2fa15787578a467dc 100644 (file)
--- a/lib/PublicInbox/NNTPD.pm
+++ b/lib/PublicInbox/NNTPD.pm
@@ -41,6 +41,12 @@ sub refresh_groups () {
                if (ref $ngname) {
                        warn 'multiple newsgroups not supported: '.
                                join(', ', @$ngname). "\n";
+               # Newsgroup name needs to be compatible with RFC 3977
+               # wildmat-exact and RFC 3501 (IMAP) ATOM-CHAR.
+               # Leave out a few chars likely to cause problems or conflicts:
+               # '|', '<', '>', ';', '#', '$', '&',
+               } elsif ($ngname =~ m![^A-Za-z0-9/_\.\-\~\@\+\=:]!) {
+                       warn "newsgroup name invalid: `$ngname'\n";
                } elsif ($ng->nntp_usable) {
                        # Only valid if msgmap and search works
                        $new->{$ngname} = $ng;