Fix missing SSL hostname validation [MiM Vuln]

fixes ConradIrwin#25 Based on: lostisland/faraday@63cf47c igrigorik/em-http-request#339
alromh87 · Sep 13, 2020 · 8eac124 · 8eac124
1 parent f926bad
commit 8eac124
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/lib/em-imap.rb b/lib/em-imap.rb
@@ -14,6 +14,7 @@
 require 'em-imap/deferrable_ssl'
 require 'em-imap/connection'
 
+require 'em-imap/ssl_verifier'
 require 'em-imap/authenticators'
 require 'em-imap/client'
 $:.shift

diff --git a/lib/em-imap/connection.rb b/lib/em-imap/connection.rb
@@ -20,9 +20,14 @@ module Connection
       #                     connection could not be established, or the
       #                     first response was BYE.
       #
+
+      attr_accessor :host
+
       def self.connect(host, port, ssl=false)
+        @host = host
         EventMachine.connect(host, port, self).tap do |conn|
-          conn.start_tls if ssl
+          conn.start_tls(:verify_peer => true) if ssl
+          conn.host = @host
         end
       end
 

diff --git a/lib/em-imap/deferrable_ssl.rb b/lib/em-imap/deferrable_ssl.rb
@@ -9,7 +9,7 @@ module DeferrableSSL
       # finished
       #
       # TODO: expose certificates so they can be verified.
-      def start_tls
+      def start_tls(verify_peer)
         unless @ssl_deferrable
           @ssl_deferrable = DG::blank
           bothback{ @ssl_deferrable.fail }