Fix possible IMAP command injection and type juggling vulnerabilities (#6229)

7 years ago · 8b0540d402
parent 891d01a4ef
commit 8b0540d402
3 changed files with 9 additions and 6 deletions
--- a/1
+++ b/1
@ -75,6 +75,7 @@ CHANGELOG Roundcube Webmail
 - Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
 - Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
 - Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
+- Fix possible IMAP command injection and type juggling vulnerabilities (#6229)

 RELEASE 1.3.5
 -------------
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@ -916,7 +916,7 @@ class rcube
        $sess_tok = $this->get_request_token();

        // ajax requests
-        if (rcube_utils::request_header('X-Roundcube-Request') == $sess_tok) {
+        if (rcube_utils::request_header('X-Roundcube-Request') === $sess_tok) {
            return true;
        }

@ -931,7 +931,7 @@ class rcube
        $token   = rcube_utils::get_input_value('_token', $mode);
        $sess_id = $_COOKIE[ini_get('session.name')];

-        if (empty($sess_id) || $token != $sess_tok) {
+        if (empty($sess_id) || $token !== $sess_tok) {
            $this->request_status = self::REQUEST_ERROR_TOKEN;
            return false;
        }
--- a/program/lib/Roundcube/rcube_imap_generic.php
+++ b/program/lib/Roundcube/rcube_imap_generic.php
@ -3865,13 +3865,13 @@ class rcube_imap_generic

        if (!is_array($messages)) {
            // if less than 255 bytes long, let's not bother
-            if (!$force && strlen($messages)<255) {
-                return $messages;
+            if (!$force && strlen($messages) < 255) {
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
            }

            // see if it's already been compressed
            if (strpos($messages, ':') !== false) {
-                return $messages;
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
            }

            // separate, then sort
@ -3906,7 +3906,9 @@ class rcube_imap_generic
        }

        // return as comma separated string
-        return implode(',', $result);
+        $result = implode(',', $result);
+
+        return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
    }

    /**