From cdeb6234a2e029c499898c3432fdf5b2cf093640 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Tue, 17 Apr 2018 13:32:30 +0200
Subject: [PATCH] Fix possible IMAP command injection vulnerability (#6229)

[CVE-2018-9846]
---
 CHANGELOG                                    |  1 +
 program/lib/Roundcube/rcube_imap_generic.php | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index b26c3a245..6ab0bce3f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
 - Fix security issue in remote content blocking on HTML image and style tags (#6178)
 
 RELEASE 1.2.7
diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php
index ac3a5fd24..5b87a4085 100644
--- a/program/lib/Roundcube/rcube_imap_generic.php
+++ b/program/lib/Roundcube/rcube_imap_generic.php
@@ -3836,13 +3836,13 @@ class rcube_imap_generic
 
         if (!is_array($messages)) {
             // if less than 255 bytes long, let's not bother
-            if (!$force && strlen($messages)<255) {
-                return $messages;
+            if (!$force && strlen($messages) < 255) {
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
             }
 
             // see if it's already been compressed
             if (strpos($messages, ':') !== false) {
-                return $messages;
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
             }
 
             // separate, then sort
@@ -3877,7 +3877,9 @@ class rcube_imap_generic
         }
 
         // return as comma separated string
-        return implode(',', $result);
+        $result = implode(',', $result);
+
+        return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
     }
 
     /**