blob: 1130e3a5134a98e4dfd67094104198ab7e4a5354 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
From 8ceb0cf0191f8b374a7f05974b29c6242ce8f752 Mon Sep 17 00:00:00 2001
From: Damian Poddebniak <poddebniak@fh-muenster.de>
Date: Thu, 23 Jul 2020 19:24:45 +0200
Subject: [PATCH] Detect extra data after STARTTLS response and exit
---
src/low-level/imap/mailimap.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
index bb17119d..4ffcf55d 100644
--- a/src/low-level/imap/mailimap.c
+++ b/src/low-level/imap/mailimap.c
@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
mailimap_response_free(response);
+ // Detect if the server send extra data after the STARTTLS response.
+ // This *may* be a "response injection attack".
+ if (session->imap_stream->read_buffer_len != 0) {
+ // Since it is also an IMAP protocol violation, exit.
+ return MAILIMAP_ERROR_STARTTLS;
+ }
+
switch (error_code) {
case MAILIMAP_RESP_COND_STATE_OK:
return MAILIMAP_NO_ERROR;
|
