ποΈ Validate and send STORE attr as an atom#658
Merged
Conversation
attr as an atomattr as an atom
Base automatically changed from
strict-atom-flag-command-arg-validation
to
master
April 23, 2026 13:57
Previously, `#store` and `#uid_store` wrapped `attr` with `RawData`. But that's completely unnecessary. `+`, `-`, and `.` are atom chars, and every STORE "message data item" defined in any RFC is an `atom`: ``` FLAGS FLAGS.SILENT +FLAGS +FLAGS.SILENT -FLAGS -FLAGS.SILENT ANNOTATION ANNOTATION.SILENT ``` We can revisit this in the future, if some new extension uses a non-atom for its STORE "message data item", but that seems unlikely. Note also that `Atom` is only applied to `String` arguments.
27d3a2e to
be87c7b
Compare
nevans
added a commit
that referenced
this pull request
Apr 23, 2026
Now that fixes for `setquota` (#659), `store`/`uid_store` (#658) have been merged, there should only be two parameters that still use `RawData`: search `criteria` and fetch `attr` (and the `UID` variants). `#search` criteria (when a string) had already been documented, but this aspect of `#fetch` attr was _not_ previously documented!
nevans
added a commit
that referenced
this pull request
Apr 23, 2026
Now that fixes for `setquota` (#659), `store`/`uid_store` (#658) have been merged, there should only be two parameters that still use `RawData`: search `criteria` and fetch `attr` (and the `UID` variants). `#search` criteria (when a string) had already been documented, but this aspect of `#fetch` attr was _not_ previously documented!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
This fixes a CRLF/command/argument injection vulnerability for the
attrargument to#store/#uid_store.Previously,
#storeand#uid_storewrappedattrwithRawData. But that's completely unnecessary.+,-, and.are atom chars, and every STORE "message data item" defined in any RFC is anatom:We can revisit this in the future, if some new extension uses a non-atom for its STORE "message data item", but that seems unlikely.
Note also that
Atomis only applied toStringarguments.