dovecot-2.0: imap-login: Don't allow IMAP command tags that have...

dovecot at dovecot.org dovecot at dovecot.org
Fri Apr 8 20:23:21 EEST 2011 

details:   http://hg.dovecot.org/dovecot-2.0/rev/9b94597c3f02
changeset: 12730:9b94597c3f02
user:      Timo Sirainen <tss at iki.fi>
date:      Fri Apr 08 20:21:58 2011 +0300
description:
imap-login: Don't allow IMAP command tags that have invalid characters.
This simply attempts to prevent HTTP requests from replying with any
potentially danerous data that some web browsers might execute, e.g.:

curl --request POST -F 'x="<script>alert(1)</script>"' http://localhost:143/

The above command probably doesn't work, because max. bad commands is
reached earlier. But if it isn't, this change makes sure it doesn't return
back anything, because '"' and '(' aren't allowed characters. Even if '"'
weren't required, there hopefully isn't much to be done without being able
to call any functions.

diffstat:

 src/imap-login/client.c |  34 ++++++++++++++++++++++++++++++++++
 1 files changed, 34 insertions(+), 0 deletions(-)

diffs (51 lines):

diff -r d14b0fd0a423 -r 9b94597c3f02 src/imap-login/client.c
--- a/src/imap-login/client.c	Fri Apr 08 19:50:31 2011 +0300
+++ b/src/imap-login/client.c	Fri Apr 08 20:21:58 2011 +0300
@@ -199,6 +199,33 @@
 	return -2;
 }
 
+static bool imap_is_valid_tag(const char *tag)
+{
+	for (; *tag != '\0'; tag++) {
+		switch (*tag) {
+		case '+':
+		/* atom-specials: */
+		case '(':
+		case ')':
+		case '{':
+		case '/':
+		case ' ':
+		/* list-wildcards: */
+		case '%':
+		case '*':
+		/* quoted-specials: */
+		case '"':
+		case '\\':
+			return FALSE;
+		default:
+			if (*tag < ' ') /* CTL */
+				return FALSE;
+			break;
+		}
+	}
+	return TRUE;
+}
+
 static bool client_handle_input(struct imap_client *client)
 {
 	const struct imap_arg *args;
@@ -230,6 +257,13 @@
                 client->cmd_tag = imap_parser_read_word(client->parser);
 		if (client->cmd_tag == NULL)
 			return FALSE; /* need more data */
+		if (!imap_is_valid_tag(client->cmd_tag)) {
+			/* the tag is invalid, don't allow it and don't
+			   send it back. this attempts to prevent any
+			   potentially dangerous replies in case someone tries
+			   to access us using HTTP protocol. */
+			client->cmd_tag = "";
+		}
 	}
 
 	if (client->cmd_name == NULL) {

More information about the dovecot-cvs mailing list