From 127003ee37e3eb6d914782be43097338baa32d2b Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Wed, 24 Nov 2021 18:24:00 +0100 Subject: [PATCH] reject unreasonably long mailbox names from IMAP LIST this wasn't really a security problem, as the name mapping we actually do does not change the string length, and the iteration was already safe after the literal length fix, but it's still better to catch weird input. --- src/drv_imap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/drv_imap.c b/src/drv_imap.c index bb71506..c5a7aed 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -1439,6 +1439,10 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) } arg = list->val; argl = (int)list->len; + if (argl > 1000) { + warn( "IMAP warning: ignoring unreasonably long mailbox name '%.100s[...]'\n", arg ); + return LIST_OK; + } // The server might be weird and have a non-uppercase INBOX. It // may legitimately do so, but we need the canonical spelling. normalize_INBOX( ctx, arg, argl );