Fix possible IMAP command injection vulnerability (#6229)

[CVE-2018-9846]

CHANGELOG

@@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail
 
 - Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
 - Fix security issue in remote content blocking on HTML image and style tags (#6178)
+- Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
 
 RELEASE 1.1.10
 --------------

program/lib/Roundcube/rcube_imap_generic.php

@@ -3707,13 +3707,13 @@ class rcube_imap_generic
 
         if (!is_array($messages)) {
             // if less than 255 bytes long, let's not bother
-            if (!$force && strlen($messages)<255) {
-                return $messages;
+            if (!$force && strlen($messages) < 255) {
+                return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages;
             }
 
             // see if it's already been compressed
             if (strpos($messages, ':') !== false) {
-                return $messages;
+                return preg_match('/[^0-9:,*]/', $messages) ? 'INVALID' : $messages;;
             }
 
             // separate, then sort
@@ -3746,7 +3746,8 @@ class rcube_imap_generic
         }
 
         // return as comma separated string
-        return implode(',', $result);
+        $result = implode(',', $result);
+        return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
     }
 
     /**