net-imap 0.5.14 → 0.6.0

data/lib/net/imap/data_encoding.rb

@@ -155,57 +155,106 @@ module Net
 
     # Common validators of number and nz_number types
     module NumValidator # :nodoc
+      NUMBER_RE = /\A(?:0|[1-9]\d*)\z/
       module_function
 
-      # Check is passed argument valid 'number' in RFC 3501 terminology
+      # Check if argument is a valid 'number' according to RFC 3501
+      #     number          = 1*DIGIT
+      #                        ; Unsigned 32-bit integer
+      #                        ; (0 <= n < 4,294,967,296)
       def valid_number?(num)
-        # [RFC 3501]
-        # number          = 1*DIGIT
-        #                    ; Unsigned 32-bit integer
-        #                    ; (0 <= n < 4,294,967,296)
-        num >= 0 && num < 4294967296
+        0 <= num && num <= 0xffff_ffff
       end
 
-      # Check is passed argument valid 'nz_number' in RFC 3501 terminology
+      # Check if argument is a valid 'nz-number' according to RFC 3501
+      #     nz-number       = digit-nz *DIGIT
+      #                        ; Non-zero unsigned 32-bit integer
+      #                        ; (0 < n < 4,294,967,296)
       def valid_nz_number?(num)
-        # [RFC 3501]
-        # nz-number       = digit-nz *DIGIT
-        #                    ; Non-zero unsigned 32-bit integer
-        #                    ; (0 < n < 4,294,967,296)
-        num != 0 && valid_number?(num)
+        0 < num && num <= 0xffff_ffff
       end
 
-      # Check is passed argument valid 'mod_sequence_value' in RFC 4551 terminology
+      # Check if argument is a valid 'mod-sequence-value' according to RFC 4551
+      #     mod-sequence-value  = 1*DIGIT
+      #                            ; Positive unsigned 64-bit integer
+      #                            ; (mod-sequence)
+      #                            ; (1 <= n < 18,446,744,073,709,551,615)
       def valid_mod_sequence_value?(num)
-        # mod-sequence-value  = 1*DIGIT
-        #                        ; Positive unsigned 64-bit integer
-        #                        ; (mod-sequence)
-        #                        ; (1 <= n < 18,446,744,073,709,551,615)
-        num >= 1 && num < 18446744073709551615
+        1 <= num && num < 0xffff_ffff_ffff_ffff
+      end
+
+      # Check if argument is a valid 'mod-sequence-valzer' according to RFC 4551
+      #     mod-sequence-valzer = "0" / mod-sequence-value
+      def valid_mod_sequence_valzer?(num)
+        0 <= num && num < 0xffff_ffff_ffff_ffff
       end
 
       # Ensure argument is 'number' or raise DataFormatError
       def ensure_number(num)
         return num if valid_number?(num)
-
-        msg = "number must be unsigned 32-bit integer: #{num}"
-        raise DataFormatError, msg
+        raise DataFormatError,
+          "number must be unsigned 32-bit integer: #{num}"
       end
 
-      # Ensure argument is 'nz_number' or raise DataFormatError
+      # Ensure argument is 'nz-number' or raise DataFormatError
       def ensure_nz_number(num)
         return num if valid_nz_number?(num)
-
-        msg = "nz_number must be non-zero unsigned 32-bit integer: #{num}"
-        raise DataFormatError, msg
+        raise DataFormatError,
+          "nz-number must be non-zero unsigned 32-bit integer: #{num}"
       end
 
-      # Ensure argument is 'mod_sequence_value' or raise DataFormatError
+      # Ensure argument is 'mod-sequence-value' or raise DataFormatError
       def ensure_mod_sequence_value(num)
         return num if valid_mod_sequence_value?(num)
+        raise DataFormatError,
+          "mod-sequence-value must be non-zero unsigned 64-bit integer: #{num}"
+      end
+
+      # Ensure argument is 'mod-sequence-valzer' or raise DataFormatError
+      def ensure_mod_sequence_valzer(num)
+        return num if valid_mod_sequence_valzer?(num)
+        raise DataFormatError,
+          "mod-sequence-valzer must be unsigned 64-bit integer: #{num}"
+      end
+
+      # Like #ensure_number, but usable with numeric String input.
+      def coerce_number(num)
+        case num
+        when Integer   then ensure_number num
+        when NUMBER_RE then ensure_number Integer num
+        else
+          raise DataFormatError, "%p is not a valid number" % [num]
+        end
+      end
 
-        msg = "mod_sequence_value must be unsigned 64-bit integer: #{num}"
-        raise DataFormatError, msg
+      # Like #ensure_nz_number, but usable with numeric String input.
+      def coerce_nz_number(num)
+        case num
+        when Integer   then ensure_nz_number num
+        when NUMBER_RE then ensure_nz_number Integer num
+        else
+          raise DataFormatError, "%p is not a valid nz-number" % [num]
+        end
+      end
+
+      # Like #ensure_mod_sequence_value, but usable with numeric String input.
+      def coerce_mod_sequence_value(num)
+        case num
+        when Integer   then ensure_mod_sequence_value num
+        when NUMBER_RE then ensure_mod_sequence_value Integer num
+        else
+          raise DataFormatError, "%p is not a valid mod-sequence-value" % [num]
+        end
+      end
+
+      # Like #ensure_mod_sequence_valzer, but usable with numeric String input.
+      def coerce_mod_sequence_valzer(num)
+        case num
+        when Integer   then ensure_mod_sequence_valzer num
+        when NUMBER_RE then ensure_mod_sequence_valzer Integer num
+        else
+          raise DataFormatError, "%p is not a valid mod-sequence-valzer" % [num]
+        end
       end
 
     end

data/lib/net/imap/esearch_result.rb

@@ -25,6 +25,12 @@ module Net
     # Some search extensions may result in the server sending ESearchResult
     # responses after the initiating command has completed.  Use
     # IMAP#add_response_handler to handle these responses.
+    #
+    # ==== Compatibility with SearchResult
+    #
+    # Note that both SearchResult and ESearchResult implement +each+, +to_a+,
+    # and +to_sequence_set+.  These methods can be used regardless of whether
+    # the server returns +SEARCH+ or +ESEARCH+ data (or no data).
     class ESearchResult < Data.define(:tag, :uid, :data)
       def initialize(tag: nil, uid: nil, data: nil)
         tag  => String       | nil; tag = -tag if tag

data/lib/net/imap/response_data.rb

@@ -6,7 +6,6 @@ module Net
     autoload :FetchData,        "#{__dir__}/fetch_data"
     autoload :UIDFetchData,     "#{__dir__}/fetch_data"
     autoload :SearchResult,     "#{__dir__}/search_result"
-    autoload :UIDPlusData,      "#{__dir__}/uidplus_data"
     autoload :AppendUIDData,    "#{__dir__}/uidplus_data"
     autoload :CopyUIDData,      "#{__dir__}/uidplus_data"
     autoload :VanishedData,     "#{__dir__}/vanished_data"
@@ -260,8 +259,8 @@ module Net
     #
     # === +UIDPLUS+ extension
     # See {[RFC4315 §3]}[https://www.rfc-editor.org/rfc/rfc4315#section-3].
-    # * +APPENDUID+, #data is UIDPlusData.  See IMAP#append.
-    # * +COPYUID+, #data is UIDPlusData.  See IMAP#copy.
+    # * +APPENDUID+, #data is AppendUIDData.  See IMAP#append.
+    # * +COPYUID+, #data is CopyUIDData.  See IMAP#copy.
     # * +UIDNOTSTICKY+, #data is +nil+.  See IMAP#select.
     #
     # === +SEARCHRES+ extension
@@ -307,14 +306,6 @@ module Net
     #   because the server doesn't allow deletion of mailboxes with children.
     #   #data is +nil+.
     #
-    # === <tt>QUOTA=RES-*</tt> response codes
-    # See {[RFC9208]}[https://www.rfc-editor.org/rfc/rfc9208.html#section-4.3].
-    # * +OVERQUOTA+ (also in RFC5530[https://www.rfc-editor.org/rfc/rfc5530]),
-    #   with a tagged +NO+ response to an +APPEND+/+COPY+/+MOVE+ command when
-    #   the command would put the target mailbox over any quota, and with an
-    #   untagged +NO+ when a mailbox exceeds a soft quota (which may be caused
-    #   be external events).  #data is +nil+.
-    #
     # === +CONDSTORE+ extension
     # See {[RFC7162]}[https://www.rfc-editor.org/rfc/rfc7162.html].
     # * +NOMODSEQ+, when selecting a mailbox that does not support
@@ -392,23 +383,14 @@ module Net
     # and MailboxQuota objects.
     #
     # == Required capability
-    #
     # Requires +QUOTA+ [RFC2087[https://www.rfc-editor.org/rfc/rfc2087]]
-    # or <tt>QUOTA=RES-STORAGE</tt>
-    # [RFC9208[https://www.rfc-editor.org/rfc/rfc9208]] capability.
+    # capability.
     class MailboxQuota < Struct.new(:mailbox, :usage, :quota)
       ##
       # method: mailbox
       # :call-seq: mailbox -> string
       #
-      # The quota root with the associated quota.
-      #
-      # NOTE: this was mistakenly named "mailbox".  But the quota root's name may
-      # differ from the mailbox.  A single quota root may cover multiple
-      # mailboxes, and a single mailbox may be governed by multiple quota roots.
-
-      # The quota root with the associated quota.
-      alias quota_root mailbox
+      # The mailbox with the associated quota.
 
       ##
       # method: usage
@@ -420,7 +402,7 @@ module Net
       # method: quota
       # :call-seq: quota -> Integer
       #
-      # Storage limit imposed on the mailbox.
+      # Quota limit imposed on the mailbox.
       #
     end
 

data/lib/net/imap/response_parser.rb

@@ -2017,24 +2017,19 @@ module Net
         CopyUID(validity, src_uids, dst_uids)
       end
 
-      def AppendUID(...) DeprecatedUIDPlus(...) || AppendUIDData.new(...) end
-      def CopyUID(...)   DeprecatedUIDPlus(...) || CopyUIDData.new(...)   end
-
       # TODO: remove this code in the v0.6.0 release
       def DeprecatedUIDPlus(validity, src_uids = nil, dst_uids)
         return unless config.parser_use_deprecated_uidplus_data
-        compact_uid_sets = [src_uids, dst_uids].compact
-        count = compact_uid_sets.map { _1.count_with_duplicates }.max
-        max   = config.parser_max_deprecated_uidplus_data_size
-        if count <= max
-          src_uids &&= src_uids.each_ordered_number.to_a
-          dst_uids   = dst_uids.each_ordered_number.to_a
-          UIDPlusData.new(validity, src_uids, dst_uids)
-        elsif config.parser_use_deprecated_uidplus_data != :up_to_max_size
-          parse_error("uid-set is too large: %d > %d", count, max)
-        end
+        warn("#{Config}#parser_use_deprecated_uidplus_data is ignored " \
+             "since v0.6.0.  Disable this warning by setting " \
+             "config.parser_use_deprecated_uidplus_data = false.",
+             category: :deprecated, uplevel: 9)
+        nil
       end
 
+      def AppendUID(...) DeprecatedUIDPlus(...) || AppendUIDData.new(...) end
+      def CopyUID(...)   DeprecatedUIDPlus(...) || CopyUIDData.new(...)   end
+
       ADDRESS_REGEXP = /\G
         \( (?: NIL | #{Patterns::QUOTED_rev2} )  # 1: NAME
         \s (?: NIL | #{Patterns::QUOTED_rev2} )  # 2: ROUTE

data/lib/net/imap/response_reader.rb

@@ -8,7 +8,6 @@ module Net
 
       def initialize(client, sock)
         @client, @sock = client, sock
-        @buff = @literal_size = nil
       end
 
       def read_response_buffer
@@ -16,13 +15,13 @@ module Net
         catch :eof do
           while true
             read_line
-            break unless literal_size
+            break unless (@literal_size = get_literal_size)
             read_literal
           end
         end
         buff
       ensure
-        @buff = @literal_size = nil
+        @buff = nil
       end
 
       private
@@ -31,18 +30,13 @@ module Net
 
       def bytes_read          = buff.bytesize
       def empty?              = buff.empty?
-      def done?               = line_done? && !literal_size
+      def done?               = line_done? && !get_literal_size
       def line_done?          = buff.end_with?(CRLF)
-
-      def get_literal_size(buff)
-        buff.end_with?("}\r\n") && buff.rindex(/\{(\d+)\}\r\n\z/n) && $1.to_i
-      end
+      def get_literal_size    = /\{(\d+)\}\r\n\z/n =~ buff && $1.to_i
 
       def read_line
-        line = (@sock.gets(CRLF, read_limit) or throw :eof)
-        buff << line
+        buff << (@sock.gets(CRLF, read_limit) or throw :eof)
         max_response_remaining! unless line_done?
-        @literal_size = get_literal_size(line)
       end
 
       def read_literal

data/lib/net/imap/sasl/scram_authenticator.rb

@@ -75,19 +75,13 @@ module Net
         # * #password ― Password or passphrase associated with this #username.
         # * _optional_ #authzid ― Alternate identity to act as or on behalf of.
         # * _optional_ #min_iterations - Overrides the default value (4096).
-        # * _optional_ #max_iterations - Overrides the default value (2³¹ - 1).
         #
         # Any other keyword parameters are quietly ignored.
-        #
-        # *NOTE:* <em>It is the user's responsibility</em> to enforce minimum
-        # and maximum iteration counts that are appropriate for their security
-        # context.
         def initialize(username_arg = nil, password_arg = nil,
                        authcid: nil, username: nil,
                        authzid: nil,
                        password: nil, secret: nil,
                        min_iterations: 4096, # see both RFC5802 and RFC7677
-                       max_iterations: 2**31 - 1,  # max int32
                        cnonce: nil, # must only be set in tests
                        **options)
           @username = username || username_arg || authcid or
@@ -100,22 +94,7 @@ module Net
           @min_iterations.positive? or
             raise ArgumentError, "min_iterations must be positive"
 
-          @max_iterations = Integer max_iterations.to_int
-          @min_iterations <= @max_iterations or
-            raise ArgumentError, "max_iterations must be more than min_iterations"
-
           @cnonce = cnonce || SecureRandom.base64(32)
-
-          # These attrs are set from the server challenges
-          @server_first_message = @snonce = @salt = @iterations = nil
-          @server_error = nil
-
-          # Memoized after @salt and @iterations have been sent.
-          @salted_password = @client_key = @server_key = nil
-
-          # These values are created and cached in response to server challenges
-          @client_first_message_bare = nil
-          @client_final_message_without_proof = nil
         end
 
         # Authentication identity: the identity that matches the #password.
@@ -148,43 +127,8 @@ module Net
 
         # The minimal allowed iteration count.  Lower #iterations will raise an
         # Error.
-        #
-        # *WARNING:* The default value (4096) is set to match guidance from
-        # both {RFC5802}[https://www.rfc-editor.org/rfc/rfc5802#page-12]
-        # and RFC7677[https://www.rfc-editor.org/rfc/rfc7677#section-4], but
-        # {modern recommendations}[https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2]
-        # are significantly higher.
-        #
-        # It is ultimately the server's responsibility to securely store
-        # password hashes.  While this parameter can alert the user to
-        # insecure password storage and prevent insecure authentication
-        # exchange, updating the iteration count generally requires resetting
-        # the password on the server.
         attr_reader :min_iterations
 
-        # The maximal allowed iteration count.  Higher #iterations will raise an
-        # Error.
-        #
-        # As noted in {RFC5802}[https://www.rfc-editor.org/rfc/rfc5802#section-9]
-        # >>>
-        #   A hostile server can perform a computational denial-of-service
-        #   attack on clients by sending a big iteration count value.
-        #
-        # *WARNING:* The default value is <tt>2³¹ - 1</tt>, the maximum signed
-        # 32-bit integer.  This is large enough for the computation to take
-        # several minutes, and insufficient protection against hostile servers.
-        #
-        # Note that <tt>OpenSSL::KDF.pbkdf2_hmac</tt> is implemented by a
-        # blocking C function, and cannot be interrupted by +Timeout+ or
-        # <tt>Thread.raise</tt>.  And it keeps the Global VM lock, as of v4.0 of
-        # the +openssl+ gem, so other ruby threads will not be able to run.
-        #
-        # <em>To prevent a denial of service attack,</em> this must be set to a
-        # safe value, depending on hardware and version of OpenSSL.  <em>It is
-        # the user's responsibility</em> to enforce minimum and maximum
-        # iteration counts that are appropriate for their security context.
-        attr_reader :max_iterations
-
         # The client nonce, generated by SecureRandom
         attr_reader :cnonce
 
@@ -203,15 +147,6 @@ module Net
         # Net::IMAP::NoResponseError.
         attr_reader :server_error
 
-        # Memoized ScramAlgorithm#salted_password (needs #salt and #iterations)
-        def salted_password; @salted_password ||= compute_salted { super } end
-
-        # Memoized ScramAlgorithm#client_key (needs #salt and #iterations)
-        def client_key; @client_key ||= compute_salted { super } end
-
-        # Memoized ScramAlgorithm#server_key (needs #salt and #iterations)
-        def server_key; @server_key ||= compute_salted { super } end
-
         # Returns a new OpenSSL::Digest object, set to the appropriate hash
         # function for the chosen mechanism.
         #
@@ -251,13 +186,6 @@ module Net
 
         private
 
-        # Checks for +salt+ and +iterations+ before yielding
-        def compute_salted
-          salt       in String  or raise Error, "unknown salt"
-          iterations in Integer or raise Error, "unknown iterations"
-          yield
-        end
-
         # Need to store this for auth_message
         attr_reader :server_first_message
 
@@ -274,8 +202,6 @@ module Net
             raise Error, "server did not send iteration count"
           min_iterations <= iterations or
             raise Error, "too few iterations: %d" % [iterations]
-          max_iterations.nil? || iterations <= max_iterations or
-            raise Error, "too many iterations: %d" % [iterations]
           mext = sparams["m"] and
             raise Error, "mandatory extension: %p" % [mext]
           snonce.start_with? cnonce or

data/lib/net/imap/search_result.rb

@@ -7,6 +7,12 @@ module Net
     # identifiers returned by Net::IMAP#uid_search.
     #
     # For backward compatibility, SearchResult inherits from Array.
+    #
+    # ==== Compatibility with ESearchResult
+    #
+    # Note that both SearchResult and ESearchResult implement +each+, +to_a+,
+    # and +to_sequence_set+.  These methods can be used regardless of whether
+    # the server returns +SEARCH+ or +ESEARCH+ data (or no data).
     class SearchResult < Array
 
       # Returns a SearchResult populated with the given +seq_nums+.