commit 127003ee37e3eb6d914782be43097338baa32d2b
parent 92921b1d3b7262eaa0fbb095cc714098b431c2f9
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date: Wed, 24 Nov 2021 18:24:00 +0100
reject unreasonably long mailbox names from IMAP LIST
this wasn't really a security problem, as the name mapping we actually
do does not change the string length, and the iteration was already
safe after the literal length fix, but it's still better to catch weird
input.
Diffstat:
1 file changed, 4 insertions(+), 0 deletions(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -1439,6 +1439,10 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
}
arg = list->val;
argl = (int)list->len;
+ if (argl > 1000) {
+ warn( "IMAP warning: ignoring unreasonably long mailbox name '%.100s[...]'\n", arg );
+ return LIST_OK;
+ }
// The server might be weird and have a non-uppercase INBOX. It
// may legitimately do so, but we need the canonical spelling.
normalize_INBOX( ctx, arg, argl );