From: Eric Wong <e@yhbt.net>
Date: Wed, 10 Jun 2020 07:03:59 +0000 (+0000)
Subject: nntpd: restrict allowed newsgroup names
X-Git-Tag: v1.6.0~465
X-Git-Url: http://www.git.stargrave.org/?p=public-inbox.git;a=commitdiff_plain;h=a7018ba43dec712675d21ace5ea1e19d901fdb0f

nntpd: restrict allowed newsgroup names

We'll be using newsgroup names as mailbox names for IMAP,
too, so ensure we don't send wonky characters in responses.

I doubt this affects any real-world instances, but a BOFH could
choose strange names to cause grief for clients.
---

diff --git a/lib/PublicInbox/NNTPD.pm b/lib/PublicInbox/NNTPD.pm
index 451f4d41..b8ec84ed 100644
--- a/lib/PublicInbox/NNTPD.pm
+++ b/lib/PublicInbox/NNTPD.pm
@@ -41,6 +41,12 @@ sub refresh_groups () {
 		if (ref $ngname) {
 			warn 'multiple newsgroups not supported: '.
 				join(', ', @$ngname). "\n";
+		# Newsgroup name needs to be compatible with RFC 3977
+		# wildmat-exact and RFC 3501 (IMAP) ATOM-CHAR.
+		# Leave out a few chars likely to cause problems or conflicts:
+		# '|', '<', '>', ';', '#', '$', '&',
+		} elsif ($ngname =~ m![^A-Za-z0-9/_\.\-\~\@\+\=:]!) {
+			warn "newsgroup name invalid: `$ngname'\n";
 		} elsif ($ng->nntp_usable) {
 			# Only valid if msgmap and search works
 			$new->{$ngname} = $ng;