banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)

Browse Source
pull/6465/head
Aleksander Machniak 6 years ago
parent e3dd5b66d2
commit c278b8796f
4 changed files with 104 additions and 11 deletions
Show Stats Download Patch File Download Diff File

1
CHANGELOG
Unescape Escape View File

@ -6,6 +6,7 @@ CHANGELOG Roundcube Webmail
- Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
- Enigma: Fix key selection for signing
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
- Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
RELEASE 1.3.5
-------------

6
program/include/rcmail.php
Unescape Escape View File

@ -606,8 +606,10 @@ class rcmail extends rcube
// Here we need IDNA ASCII
// Only rcube_contacts class is using domain names in Unicode
$host = rcube_utils::idn_to_ascii($host);
$username = rcube_utils::idn_to_ascii($username);
$host = rcube_utils::idn_to_ascii($host);
if (strpos($username, '@')) {
$username = rcube_utils::idn_to_ascii($username);
}
// user already registered -> overwrite username
if ($user = rcube_user::query($username, $host)) {

42
program/lib/Roundcube/rcube_utils.php
Unescape Escape View File

@ -856,24 +856,41 @@ class rcube_utils
return $date;
}
/*
* Idn_to_ascii wrapper.
* Intl/Idn modules version of this function doesn't work with e-mail address
/**
* Wrapper for idn_to_ascii with support for e-mail address.
*
* Warning: Domain names may be lowercase'd.
* Warning: An empty string may be returned on invalid domain.
*
* @param string $str Decoded e-mail address
*
* @return string Encoded e-mail address
*/
public static function idn_to_ascii($str)
{
return self::idn_convert($str, true);
}
/*
* Idn_to_ascii wrapper.
* Intl/Idn modules version of this function doesn't work with e-mail address
/**
* Wrapper for idn_to_utf8 with support for e-mail address
*
* @param string $str Decoded e-mail address
*
* @return string Encoded e-mail address
*/
public static function idn_to_utf8($str)
{
return self::idn_convert($str, false);
}
/**
* Convert a string to ascii or utf8 (using IDNA standard)
*
* @param string $input Decoded e-mail address
* @param boolean $is_utf Convert by idn_to_ascii if true and idn_to_utf8 if false
*
* @return string Encoded e-mail address
*/
public static function idn_convert($input, $is_utf = false)
{
if ($at = strpos($input, '@')) {
@ -881,18 +898,25 @@ class rcube_utils
$domain = substr($input, $at + 1);
}
else {
$user = '';
$domain = $input;
}
// Note that in PHP 7.2/7.3 calling idn_to_* functions with default arguments
// throws a warning, so we have to set the variant explicitely (#6075)
$variant = defined('INTL_IDNA_VARIANT_UTS46') ? INTL_IDNA_VARIANT_UTS46 : null;
$options = 0;
$options = IDNA_DEFAULT;
// Because php-intl extension lowercases domains and return false
// on invalid input (#6224), we skip conversion when not needed
// for compatibility with our Net_IDNA2 wrappers in bootstrap.php
if ($is_utf) {
$domain = idn_to_ascii($domain, $options, $variant);
if (preg_match('/[^\x20-\x7E]/', $domain)) {
$domain = idn_to_ascii($domain, $options, $variant);
}
}
else {
else if (preg_match('/(^|\.)xn--/i', $domain)) {
$domain = idn_to_utf8($domain, $options, $variant);
}

66
tests/Framework/Utils.php
Unescape Escape View File

@ -531,4 +531,70 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
$this->assertSame(0, strlen(rcube_utils::random_bytes(0)));
$this->assertSame(0, strlen(rcube_utils::random_bytes(-1)));
}
/**
* Test-Cases for IDN to ASCII and IDN to UTF-8
*/
function data_idn_convert()
{
/*
* Check https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Internationalized_brand_top-level_domains
* and https://github.com/true/php-punycode/blob/master/tests/PunycodeTest.php for more Test-Data
*/
return array(
array('test@vermögensberater', 'test@xn--vermgensberater-ctb'),
array('test@vermögensberatung', 'test@xn--vermgensberatung-pwb'),
array('test@グーグル', 'test@xn--qcka1pmc'),
array('test@谷歌', 'test@xn--flw351e'),
array('test@中信', 'test@xn--fiq64b'),
array('test@рф.ru', 'test@xn--p1ai.ru'),
array('test@δοκιμή.gr', 'test@xn--jxalpdlp.gr'),
array('test@gwóźdź.pl', 'test@xn--gwd-hna98db.pl'),
array('рф.ru@рф.ru', 'рф.ru@xn--p1ai.ru'),
array('vermögensberater', 'xn--vermgensberater-ctb'),
array('vermögensberatung', 'xn--vermgensberatung-pwb'),
array('グーグル', 'xn--qcka1pmc'),
array('谷歌', 'xn--flw351e'),
array('中信', 'xn--fiq64b'),
array('рф.ru', 'xn--p1ai.ru'),
array('δοκιμή.gr', 'xn--jxalpdlp.gr'),
array('gwóźdź.pl', 'xn--gwd-hna98db.pl'),
);
}
/**
* Test idn_to_ascii
*
* @param string $decoded Decoded email address
* @param string $encoded Encoded email address
* @dataProvider data_idn_convert
*/
function test_idn_to_ascii($decoded, $encoded)
{
$this->assertEquals(rcube_utils::idn_to_ascii($decoded), $encoded);
}
/**
* Test idn_to_utf8
*
* @param string $decoded Decoded email address
* @param string $encoded Encoded email address
* @dataProvider data_idn_convert
*/
function test_idn_to_utf8($decoded, $encoded)
{
$this->assertEquals(rcube_utils::idn_to_utf8($encoded), $decoded);
}
/**
* Test idn_to_ascii with non-domain input (#6224)
*/
function test_idn_to_ascii_special()
{
$this->assertEquals(rcube_utils::idn_to_ascii('H.S'), 'H.S');
$this->assertEquals(rcube_utils::idn_to_ascii('d.-h.lastname'), 'd.-h.lastname');
}
}

Write Preview
Loading…
Cancel
Save