From 20f3988a79927ab5c8208c725f9b667d9d27a501 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 31 Jul 2024 18:11:31 +0200 Subject: [PATCH] Fix infinite loop when parsing malformed Sieve script (#9562) --- CHANGELOG.md | 1 + plugins/managesieve/Changelog | 1 + .../lib/Roundcube/rcube_sieve_script.php | 7 ++++--- .../managesieve/tests/ManagesieveScriptTest.php | 14 ++++++++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 840393a8852..561e82a4a7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,6 +67,7 @@ - Fix bug where "with attachment" filter could fail on some fts engines (#9514) - Fix bug where an unhandled exception was caused by an invalid image attachment (#9475) - Fix bug where a long subject title could not be displayed in some cases (#9416) +- Fix infinite loop when parsing malformed Sieve script (#9562) ## Release 1.6.7 diff --git a/plugins/managesieve/Changelog b/plugins/managesieve/Changelog index 8dac12b0767..d436dbb00b0 100644 --- a/plugins/managesieve/Changelog +++ b/plugins/managesieve/Changelog @@ -2,6 +2,7 @@ - Fix javascript error when relational or spamtest extension is not enabled (#9139) - Support an array in managesieve_host option (#9447) - Protect special scripts in managesieve_kolab_master mode +- Fix infinite loop when parsing a malformed script (#9562) * version 9.5 [2023-03-26] ----------------------------------------------------------- diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php index 7028b7f96e8..fddff339fa0 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php @@ -1306,9 +1306,10 @@ public static function tokenize($str, $num = 0, &$position = 0) break; // bracket-comment (<< reindent once https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/issues/7179 is fixed) case '/': - if ($str[$position + 1] == '*') { - if ($end_pos = strpos($str, '*/', $position + 2)) { - $position = $end_pos + 2; + $position++; + if ($str[$position] == '*') { + if ($end_pos = strpos($str, '*/', $position + 1)) { + $position = $end_pos + 1; } else { // error $position = $length; diff --git a/plugins/managesieve/tests/ManagesieveScriptTest.php b/plugins/managesieve/tests/ManagesieveScriptTest.php index c1c65ad1754..6aa15012529 100644 --- a/plugins/managesieve/tests/ManagesieveScriptTest.php +++ b/plugins/managesieve/tests/ManagesieveScriptTest.php @@ -59,6 +59,20 @@ public static function provide_parser_cases(): iterable return $result; } + /** + * Sieve script parsing + */ + public function test_parser_bug9562() + { + // This is an obviously invalid script + $input = "vacation :subject \"a\" :from \"b\"\ntest"; + $script = new \rcube_sieve_script($input); + $result = $script->as_text(); + + // TODO: The output still is BS, but it at least does not cause an infinite loop + $this->assertSame("require [\"vacation\"];\r\nvacation :subject \"a\" :from \"b\" \"a\";\r\n", $result); + } + public static function provide_tokenizer_cases(): iterable { return [