dxbjavid commented on PR #397: URL: https://github.com/apache/commons-net/pull/397#issuecomment-4592397853
Only CR and LF actually terminate a line in the SMTP/NNTP wire protocol, so those are the bytes that let a value break out of its header. U+2028 and the other Unicode line breaks aren't line terminators there, they just get written out as their encoded bytes (E2 80 A8 for U+2028 in UTF-8, none of which is CR or LF), so they can't inject a header field. I kept the guard to CR/LF to match that and the existing null-From check. Can widen it if you'd prefer to be strict about them, but it isn't needed to close the injection. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
