From 8b0540d402cc545e3f79d4572568a306320c4bf7 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 3 Apr 2018 19:07:02 +0200 Subject: [PATCH] Fix possible IMAP command injection and type juggling vulnerabilities (#6229) --- CHANGELOG | 1 + program/lib/Roundcube/rcube.php | 4 ++-- program/lib/Roundcube/rcube_imap_generic.php | 10 ++++++---- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 17f72cb81d0..d421814d079 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -75,6 +75,7 @@ CHANGELOG Roundcube Webmail - Fix so links over images are not removed in plain text signatures converted from HTML (#4473) - Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772) - Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216) +- Fix possible IMAP command injection and type juggling vulnerabilities (#6229) RELEASE 1.3.5 ------------- diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php index 680f80408d9..29ccb3d5389 100644 --- a/program/lib/Roundcube/rcube.php +++ b/program/lib/Roundcube/rcube.php @@ -916,7 +916,7 @@ public function check_request($mode = rcube_utils::INPUT_POST) $sess_tok = $this->get_request_token(); // ajax requests - if (rcube_utils::request_header('X-Roundcube-Request') == $sess_tok) { + if (rcube_utils::request_header('X-Roundcube-Request') === $sess_tok) { return true; } @@ -931,7 +931,7 @@ public function check_request($mode = rcube_utils::INPUT_POST) $token = rcube_utils::get_input_value('_token', $mode); $sess_id = $_COOKIE[ini_get('session.name')]; - if (empty($sess_id) || $token != $sess_tok) { + if (empty($sess_id) || $token !== $sess_tok) { $this->request_status = self::REQUEST_ERROR_TOKEN; return false; } diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php index 0334473b56f..c6395912c48 100644 --- a/program/lib/Roundcube/rcube_imap_generic.php +++ b/program/lib/Roundcube/rcube_imap_generic.php @@ -3865,13 +3865,13 @@ public static function compressMessageSet($messages, $force=false) if (!is_array($messages)) { // if less than 255 bytes long, let's not bother - if (!$force && strlen($messages)<255) { - return $messages; + if (!$force && strlen($messages) < 255) { + return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages; } // see if it's already been compressed if (strpos($messages, ':') !== false) { - return $messages; + return preg_match('/[^0-9:,]/', $messages) ? 'INVALID' : $messages; } // separate, then sort @@ -3906,7 +3906,9 @@ public static function compressMessageSet($messages, $force=false) } // return as comma separated string - return implode(',', $result); + $result = implode(',', $result); + + return preg_match('/[^0-9:,]/', $result) ? 'INVALID' : $result; } /**