Mercurial > dovecot > core-2.2
changeset 12937:9b94597c3f02
imap-login: Don't allow IMAP command tags that have invalid characters.
This simply attempts to prevent HTTP requests from replying with any
potentially danerous data that some web browsers might execute, e.g.:
curl --request POST -F 'x="<script>alert(1)</script>"' http://localhost:143/
The above command probably doesn't work, because max. bad commands is
reached earlier. But if it isn't, this change makes sure it doesn't return
back anything, because '"' and '(' aren't allowed characters. Even if '"'
weren't required, there hopefully isn't much to be done without being able
to call any functions.
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Fri, 08 Apr 2011 20:21:58 +0300 |
| parents | d14b0fd0a423 |
| children | a0c1c6f7cf6e |
| files | src/imap-login/client.c |
| diffstat | 1 files changed, 34 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/imap-login/client.c Fri Apr 08 19:50:31 2011 +0300 +++ b/src/imap-login/client.c Fri Apr 08 20:21:58 2011 +0300 @@ -199,6 +199,33 @@ return -2; } +static bool imap_is_valid_tag(const char *tag) +{ + for (; *tag != '\0'; tag++) { + switch (*tag) { + case '+': + /* atom-specials: */ + case '(': + case ')': + case '{': + case '/': + case ' ': + /* list-wildcards: */ + case '%': + case '*': + /* quoted-specials: */ + case '"': + case '\\': + return FALSE; + default: + if (*tag < ' ') /* CTL */ + return FALSE; + break; + } + } + return TRUE; +} + static bool client_handle_input(struct imap_client *client) { const struct imap_arg *args; @@ -230,6 +257,13 @@ client->cmd_tag = imap_parser_read_word(client->parser); if (client->cmd_tag == NULL) return FALSE; /* need more data */ + if (!imap_is_valid_tag(client->cmd_tag)) { + /* the tag is invalid, don't allow it and don't + send it back. this attempts to prevent any + potentially dangerous replies in case someone tries + to access us using HTTP protocol. */ + client->cmd_tag = ""; + } } if (client->cmd_name == NULL) {