Fix possible IMAP command injection and type juggling vulnerabilities (…

…#6229)
roundcube · Apr 3, 2018 · 8b0540d · 8b0540d
1 parent 891d01a
commit 8b0540d
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -75,6 +75,7 @@ CHANGELOG Roundcube Webmail
 - Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
 - Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
 - Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
+- Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
 
 RELEASE 1.3.5
 -------------

diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
@@ -916,7 +916,7 @@ public function check_request($mode = rcube_utils::INPUT_POST)
         $sess_tok = $this->get_request_token();
 
         // ajax requests
-        if (rcube_utils::request_header('X-Roundcube-Request') == $sess_tok) {
+        if (rcube_utils::request_header('X-Roundcube-Request') === $sess_tok) {
             return true;
         }
 
@@ -931,7 +931,7 @@ public function check_request($mode = rcube_utils::INPUT_POST)
         $token   = rcube_utils::get_input_value('_token', $mode);
         $sess_id = $_COOKIE[ini_get('session.name')];
 
-        if (empty($sess_id) || $token != $sess_tok) {
+        if (empty($sess_id) || $token !== $sess_tok) {
             $this->request_status = self::REQUEST_ERROR_TOKEN;
             return false;
         }

diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php
@@ -3865,13 +3865,13 @@ public static function compressMessageSet($messages, $force=false)
 
         if (!is_array($messages)) {
             // if less than 255 bytes long, let's not bother
-            if (!$force && strlen($messages)<255) {
-                return $messages;
+            if (!$force && strlen($messages) < 255) {
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
             }
 
             // see if it's already been compressed
             if (strpos($messages, ':') !== false) {
-                return $messages;
+                return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages;
             }
 
             // separate, then sort
@@ -3906,7 +3906,9 @@ public static function compressMessageSet($messages, $force=false)
         }
 
         // return as comma separated string
-        return implode(',', $result);
+        $result = implode(',', $result);
+
+        return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result;
     }
 
     /**