Fix possible IMAP command injection vulnerability (#6229)

[CVE-2018-9846]

CHANGELOG

@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
 - Fix security issue in remote content blocking on HTML image and style tags (#6178)
 
 RELEASE 1.2.7

program/lib/Roundcube/rcube_imap_generic.php

@@ -3836,13 +3836,13 @@ class rcube_imap_generic
 
         if (!is_array($messages)) {
             // if less than 255 bytes long, let's not bother
-            if (!$force && strlen($messages)<255) {
-                return $messages;
+            if (!$force && strlen($messages) < 255) {
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
             }
 
             // see if it's already been compressed
             if (strpos($messages, ':') !== false) {
-                return $messages;
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
             }
 
             // separate, then sort
@@ -3877,7 +3877,9 @@ class rcube_imap_generic
         }
 
         // return as comma separated string
-        return implode(',', $result);
+        $result = implode(',', $result);
+
+        return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
     }
 
     /**