🍒 pick 62eea6f: 🔒🥅 Ensure STARTTLS tagged response was handled [backport #664]

nevans · nevans · commit b01e0d7a286f · 2026-04-23T14:05:16.000-04:00
Taking a "belt-and-suspenders" approach to a STARTTLS stripping attack:

This handles `STARTTLS` as a special-case: if the `STARTTLS` handler
did not run, for _whatever_ reason, an exception _must_ be raised and
the connection dropped.

_No_ command should ever receive a tagged `OK` prior to completely
sending the command.  But `STARTTLS` is security-sensitive enough to
warrant this special-case handler.
diff --git a/lib/net/imap.rb b/lib/net/imap.rb
@@ -1014,9 +1014,11 @@ def logout
     # unsolicited untagged response immeditely _after_ #starttls completes.
     #
     def starttls(options = {}, verify = true)
+      handled = false
       error = nil
       ok = send_command("STARTTLS") do |resp|
         if resp.kind_of?(TaggedResponse) && resp.name == "OK"
+          handled = true
           begin
             # for backward compatibility
             certs = options.to_str
@@ -1032,6 +1034,13 @@ def starttls(options = {}, verify = true)
         disconnect
         raise error
       end
+      unless handled
+        disconnect
+        raise InvalidResponseError,
+              "STARTTLS handler was bypassed, although server responded %p" % [
+                ok.raw_data.chomp
+              ]
+      end
       ok
     end
 
