Sanity checks for header data length in FETCH (#6087)

Where we know what expected data length is we truncate the input.
roundcube · Dec 13, 2017 · c0959bd · c0959bd
1 parent 3cdc8af
commit c0959bd
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php
@@ -2504,14 +2504,16 @@ public function fetch($mailbox, $message_set, $is_uid = false, $query_items = ar
 
                         switch ($field) {
                         case 'date';
-                            $result[$id]->date = $string;
+                            $string                 = substr($string, 0, 128);
+                            $result[$id]->date      = $string;
                             $result[$id]->timestamp = rcube_utils::strtotime($string);
                             break;
                         case 'to':
                             $result[$id]->to = preg_replace('/undisclosed-recipients:[;,]*/', '', $string);
                             break;
                         case 'from':
                         case 'subject':
+                            $string = substr($string, 0, 2048);
                         case 'cc':
                         case 'bcc':
                         case 'references':
@@ -2521,7 +2523,7 @@ public function fetch($mailbox, $message_set, $is_uid = false, $query_items = ar
                             $result[$id]->replyto = $string;
                             break;
                         case 'content-transfer-encoding':
-                            $result[$id]->encoding = $string;
+                            $result[$id]->encoding = substr($string, 0, 32);
                         break;
                         case 'content-type':
                             $ctype_parts = preg_split('/[; ]+/', $string);
@@ -2536,10 +2538,10 @@ public function fetch($mailbox, $message_set, $is_uid = false, $query_items = ar
                         case 'return-receipt-to':
                         case 'disposition-notification-to':
                         case 'x-confirm-reading-to':
-                            $result[$id]->mdn_to = $string;
+                            $result[$id]->mdn_to = substr($string, 0, 2048);
                             break;
                         case 'message-id':
-                            $result[$id]->messageID = $string;
+                            $result[$id]->messageID = substr($string, 0, 2048);
                             break;
                         case 'x-priority':
                             if (preg_match('/^(\d+)/', $string, $matches)) {