Description
aioSMTPD 1.4.6 accepts a syntactically invalid MAIL FROM command without angle brackets and responds with 250 OK, instead of rejecting it with a 501 response and remaining in the same state as required by RFC 5321 section 4.1.4.
Affected Version
aioSMTPD server (version 1.4.6)
Steps to Reproduce
- Start the aioSMTPD server (listening on 127.0.0.1:8034).
- Connect via telnet or nc: telnet 127.0.0.1 8034 (or nc 127.0.0.1 8034).
- Send the following commands:
- Observe the server’s reply to the MAIL command.
Buggy Behavior
The server replies 250 OK to MAIL FROM:alice@example.com (missing angle brackets around the reverse-path), thereby accepting the transaction start when the argument is syntactically invalid.
Expected Behavior
The server should reject the invalid MAIL FROM with a 501 failure reply and remain in the same state (i.e., not begin a new transaction).
As per RFC 5321: [4.1.4] If the transaction beginning command argument is not acceptable, a 501 failure reply MUST be returned and the SMTP server MUST stay in the same state.
Description
aioSMTPD 1.4.6 accepts a syntactically invalid MAIL FROM command without angle brackets and responds with 250 OK, instead of rejecting it with a 501 response and remaining in the same state as required by RFC 5321 section 4.1.4.
Affected Version
aioSMTPD server (version 1.4.6)
Steps to Reproduce
Buggy Behavior
The server replies 250 OK to MAIL FROM:alice@example.com (missing angle brackets around the reverse-path), thereby accepting the transaction start when the argument is syntactically invalid.
Expected Behavior
The server should reject the invalid MAIL FROM with a 501 failure reply and remain in the same state (i.e., not begin a new transaction).
As per RFC 5321: [4.1.4] If the transaction beginning command argument is not acceptable, a 501 failure reply MUST be returned and the SMTP server MUST stay in the same state.