[commit] 1.3: CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB

[Oswald Buddenhagen via isync-devel]

commit fe5d59f8e3169944e57eb1c60155c9ebd4912d48
Author: Oswald Buddenhagen <o...@users.sf.net>
Date:   Sun Feb 14 20:42:37 2021 +0100

    CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB
    
    in particular, '..' in the name could be used to escape the Path/Inbox
    of a Maildir Store, which could be exploited for stealing or deleting
    data, or staging a (mild) DoS attack.

 src/drv_imap.c | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/drv_imap.c b/src/drv_imap.c
index 810479e..fbe2fed 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -1258,11 +1258,12 @@ static int
 parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED )
 {
        string_list_t *narg;
-       char *arg;
+       char *arg, c;
        int argl, l;
 
        if (!is_atom( list )) {
                error( "IMAP error: malformed LIST response\n" );
+         listbad:
                free_list( list );
                return LIST_BAD;
        }
@@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char 
*cmd ATTR_UNUSED )
                warn( "IMAP warning: ignoring mailbox %s (reserved character 
'/' in name)\n", arg );
                goto skip;
        }
+       // Validate the normalized name. Technically speaking, we could tolerate
+       // '//' and '/./', and '/../' being forbidden is a limitation of the 
Maildir
+       // driver, but there isn't really a legitimate reason for these being 
present.
+       for (const char *p = narg->string, *sp = p;;) {
+               if (!(c = *p) || c == '/') {
+                       uint pcl = (uint)(p - sp);
+                       if (!pcl) {
+                               error( "IMAP warning: ignoring mailbox '%s' due 
to empty name component\n", narg->string );
+                               free( narg );
+                               goto skip;
+                       }
+                       if (pcl == 1 && sp[0] == '.') {
+                               error( "IMAP warning: ignoring mailbox '%s' due 
to '.' component\n", narg->string );
+                               free( narg );
+                               goto skip;
+                       }
+                       if (pcl == 2 && sp[0] == '.' && sp[1] == '.') {
+                               error( "IMAP error: LIST'd mailbox name '%s' 
contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", 
narg->string );
+                               free( narg );
+                               goto listbad;
+                       }
+                       if (!c)
+                               break;
+                       sp = ++p;
+               } else {
+                       ++p;
+               }
+       }
        narg->next = ctx->boxes;
        ctx->boxes = narg;
   skip:


_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel