From a7018ba43dec712675d21ace5ea1e19d901fdb0f Mon Sep 17 00:00:00 2001
From: Eric Wong <e@yhbt.net>
Date: Wed, 10 Jun 2020 07:03:59 +0000
Subject: [PATCH] nntpd: restrict allowed newsgroup names

We'll be using newsgroup names as mailbox names for IMAP,
too, so ensure we don't send wonky characters in responses.

I doubt this affects any real-world instances, but a BOFH could
choose strange names to cause grief for clients.
---
 lib/PublicInbox/NNTPD.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/PublicInbox/NNTPD.pm b/lib/PublicInbox/NNTPD.pm
index 451f4d41..b8ec84ed 100644
--- a/lib/PublicInbox/NNTPD.pm
+++ b/lib/PublicInbox/NNTPD.pm
@@ -41,6 +41,12 @@ sub refresh_groups () {
 		if (ref $ngname) {
 			warn 'multiple newsgroups not supported: '.
 				join(', ', @$ngname). "\n";
+		# Newsgroup name needs to be compatible with RFC 3977
+		# wildmat-exact and RFC 3501 (IMAP) ATOM-CHAR.
+		# Leave out a few chars likely to cause problems or conflicts:
+		# '|', '<', '>', ';', '#', '$', '&',
+		} elsif ($ngname =~ m![^A-Za-z0-9/_\.\-\~\@\+\=:]!) {
+			warn "newsgroup name invalid: `$ngname'\n";
 		} elsif ($ng->nntp_usable) {
 			# Only valid if msgmap and search works
 			$new->{$ngname} = $ng;
-- 
2.44.0