You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2022/03/30 03:55:40 UTC

[james-project] 01/06: JAMES-1862 IMAP tags should be well sanitized when enforcing STARTTLS command injection checks

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git

commit f913f6faa12bbdca0276e4f6e0cc65547d547aec
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Tue Mar 15 10:03:48 2022 +0700

    JAMES-1862 IMAP tags should be well sanitized when enforcing STARTTLS command injection checks
---
 .../james/imapserver/netty/SwitchableLineBasedFrameDecoder.java  | 2 +-
 .../java/org/apache/james/imapserver/netty/IMAPServerTest.java   | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/protocols/protocols-imap4/src/main/java/org/apache/james/imapserver/netty/SwitchableLineBasedFrameDecoder.java b/server/protocols/protocols-imap4/src/main/java/org/apache/james/imapserver/netty/SwitchableLineBasedFrameDecoder.java
index 2f4d117..501ae14 100644
--- a/server/protocols/protocols-imap4/src/main/java/org/apache/james/imapserver/netty/SwitchableLineBasedFrameDecoder.java
+++ b/server/protocols/protocols-imap4/src/main/java/org/apache/james/imapserver/netty/SwitchableLineBasedFrameDecoder.java
@@ -56,7 +56,7 @@ public class SwitchableLineBasedFrameDecoder extends AllButStartTlsLineBasedChan
 
     protected String removeTag(String input) {
         String trimmedInput = input.trim();
-        int tagEnd = input.indexOf(' ');
+        int tagEnd = trimmedInput.indexOf(' ');
         if (tagEnd < 0) {
             return input;
         }
diff --git a/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java b/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
index 06356b4..ee07543 100644
--- a/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
+++ b/server/protocols/protocols-imap4/src/test/java/org/apache/james/imapserver/netty/IMAPServerTest.java
@@ -447,6 +447,15 @@ class IMAPServerTest {
         }
 
         @Test
+        void tagsShouldBeWellSanitized() throws Exception {
+            IMAPSClient imapClient = new IMAPSClient();
+            imapClient.connect("127.0.0.1", port);
+            assertThatThrownBy(() -> imapClient.sendCommand("NOOP\r\n A1 STARTTLS\r\nA2 NOOP"))
+                .isInstanceOf(EOFException.class)
+                .hasMessage("Connection closed without indication.");
+        }
+
+        @Test
         void lineFollowingStartTLSShouldBeSanitized() throws Exception {
             IMAPSClient imapClient = new IMAPSClient();
             imapClient.connect("127.0.0.1", port);

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org