📚 Improve documentation of RawData arguments

nevans · nevans · commit be32e712eb2e · 2026-04-23T10:38:55.000-04:00
Now that fixes for `setquota` (#659), `store`/`uid_store` (#658) have been merged, there should only be two parameters that still use `RawData`: search `criteria` and fetch `attr` (and the `UID` variants). `#search` criteria (when a string) had already been documented, but this aspect of `#fetch` attr was _not_ previously documented!
diff --git a/lib/net/imap.rb b/lib/net/imap.rb
@@ -2345,11 +2345,11 @@ def uid_expunge(uid_set)
     #     Encoded as an \IMAP date (see ::encode_date).
     #
     # [When +criteria+ is a String]
-    #   +criteria+ will be sent directly to the server <em>without any
-    #   validation or encoding</em>.
+    #   +criteria+ will be sent to the server <em>with minimal validation and no
+    #   encoding or formatting</em>.
     #
-    #   <em>*WARNING:* This is vulnerable to injection attacks when external
-    #   inputs are used.</em>
+    #   <em>*WARNING:* Although CRLF is prohibited, this is vulnerable to other
+    #   types of attribute injection attack if unvetted user input is used.</em>
     #
     # ==== Supported return options
     #
@@ -2670,6 +2670,13 @@ def uid_search(...)
     #
     # +attr+ is a list of attributes to fetch; see FetchStruct documentation for
     # a list of supported attributes.
+    # >>>
+    #   When +attr+ is a String, it will be sent <em>with minimal validation and
+    #   no encoding or formatting</em>.  When +attr+ is an Array, each String in
+    #   +attr+ will be sent this way.
+    #
+    #   <em>*WARNING:* Although CRLF is prohibited, this is vulnerable to other
+    #   types of attribute injection attack if unvetted user input is used.</em>
     #
     # +changedsince+ is an optional integer mod-sequence.  It limits results to
     # messages with a mod-sequence greater than +changedsince+.

Original file line number	Diff line number	Diff line change
`@@ -2345,11 +2345,11 @@ def uid_expunge(uid_set)`
`2345`	`2345`	`# Encoded as an \IMAP date (see ::encode_date).`
`2346`	`2346`	`#`
`2347`	`2347`	`# [When +criteria+ is a String]`
`2348`		`- # +criteria+ will be sent directly to the server <em>without any`
`2349`		`- # validation or encoding</em>.`
	`2348`	`+ # +criteria+ will be sent to the server <em>with minimal validation and no`
	`2349`	`+ # encoding or formatting</em>.`
`2350`	`2350`	`#`
`2351`		`- # <em>WARNING: This is vulnerable to injection attacks when external`
`2352`		`- # inputs are used.</em>`
	`2351`	`+ # <em>WARNING: Although CRLF is prohibited, this is vulnerable to other`
	`2352`	`+ # types of attribute injection attack if unvetted user input is used.</em>`
`2353`	`2353`	`#`
`2354`	`2354`	`# ==== Supported return options`
`2355`	`2355`	`#`
`@@ -2670,6 +2670,13 @@ def uid_search(...)`
`2670`	`2670`	`#`
`2671`	`2671`	`# +attr+ is a list of attributes to fetch; see FetchStruct documentation for`
`2672`	`2672`	`# a list of supported attributes.`
	`2673`	`+ # >>>`
	`2674`	`+ # When +attr+ is a String, it will be sent <em>with minimal validation and`
	`2675`	`+ # no encoding or formatting</em>. When +attr+ is an Array, each String in`
	`2676`	`+ # +attr+ will be sent this way.`
	`2677`	`+ #`
	`2678`	`+ # <em>WARNING: Although CRLF is prohibited, this is vulnerable to other`
	`2679`	`+ # types of attribute injection attack if unvetted user input is used.</em>`
`2673`	`2680`	`#`
`2674`	`2681`	`# +changedsince+ is an optional integer mod-sequence. It limits results to`
`2675`	`2682`	`# messages with a mod-sequence greater than +changedsince+.`