Mirrors/go-chasquid-smtp
1
0
Fork 0
mirror of https://blitiri.com.ar/repos/chasquid synced 2025-12-27 16:17:03 +00:00
Code Releases Activity

smtpsrv: Reject HTTP commands

Browse Source 
To help with defense-in-depth on cross-protocol attacks (e.g.
https://alpaca-attack.com/), this patch makes chasquid reject HTTP
commands.
This commit is contained in:
Alberto Bertogli
2021-06-10 18:42:56 +01:00
parent 85305f4bd9
commit 8c8e64dc29
3 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
test/t-12-minor_dialogs/wrong_proto.cmy Normal file
View File

@@ -0,0 +1,15 @@
c tcp_connect localhost:1025
c <~ 220
c -> GET /evil HTTP/1.1
c <- 502 5.7.0 You hear someone cursing shoplifters
c tcp_connect localhost:1025
c <~ 220
c -> POST /evil HTTP/1.1
c <- 502 5.7.0 You hear someone cursing shoplifters
c tcp_connect localhost:1025
c <~ 220
c -> CONNECT www.evil.com:80 HTTP/1.1
c <- 502 5.7.0 You hear someone cursing shoplifters