Properly quote IMAP mailbox names when (un)subscribing.

When handling automatic subscription (via $imap_check_subscribed), or
manual subscribe/unsubscribe commands, mutt generating a "mailboxes"
command but failed to properly escape backquotes.

Thanks to Jeriko One for the detailed bug report and patch, which this
commit is based upon.

diff --git a/imap/command.c b/imap/command.c
index c88259815242209ebe02a28ddeaf0a52039ad4ce..c79d4f286e98b11122792f3551ccfb7a8b791c7e 100644 (file)
--- a/imap/command.c
+++ b/imap/command.c
@@ -842,8 +842,9 @@ static void cmd_parse_lsub (IMAP_DATA* idata, char* s)
 
   strfcpy (buf, "mailboxes \"", sizeof (buf));
   mutt_account_tourl (&idata->conn->account, &url);
-  /* escape \ and " */
-  imap_quote_string(errstr, sizeof (errstr), list.name);
+  /* escape \ and ". Also escape ` because the resulting
+   * string will be passed to mutt_parse_rc_line. */
+  imap_quote_string_and_backquotes (errstr, sizeof (errstr), list.name);
   url.path = errstr + 1;
   url.path[strlen(url.path) - 1] = '\0';
   if (!mutt_strcmp (url.user, ImapUser))

diff --git a/imap/imap.c b/imap/imap.c
index 668203b8e9c09127b018664e5c7567e9b9283d84..c3a8ffd0870d7b0c42df9093ff55e6a1926e71fa 100644 (file)
--- a/imap/imap.c
+++ b/imap/imap.c
@@ -1930,6 +1930,7 @@ int imap_subscribe (char *path, int subscribe)
   char buf[LONG_STRING];
   char mbox[LONG_STRING];
   char errstr[STRING];
+  int mblen;
   BUFFER err, token;
   IMAP_MBOX mx;
 
@@ -1951,8 +1952,10 @@ int imap_subscribe (char *path, int subscribe)
     mutt_buffer_init (&err);
     err.data = errstr;
     err.dsize = sizeof (errstr);
-    snprintf (mbox, sizeof (mbox), "%smailboxes \"%s\"",
-              subscribe ? "" : "un", path);
+    mblen = snprintf (mbox, sizeof (mbox), "%smailboxes ",
+                      subscribe ? "" : "un");
+    imap_quote_string_and_backquotes (mbox + mblen, sizeof(mbox) - mblen,
+                                      path);
     if (mutt_parse_rc_line (mbox, &token, &err))
       dprint (1, (debugfile, "Error adding subscribed mailbox: %s\n", errstr));
     FREE (&token.data);

diff --git a/imap/imap_private.h b/imap/imap_private.h
index 312fbfe4f928df26dc367fc77f52cbf200ac45e6..349c5a49dc70ea28accbf5d827fe9e5c372752d0 100644 (file)
--- a/imap/imap_private.h
+++ b/imap/imap_private.h
@@ -301,7 +301,8 @@ char* imap_next_word (char* s);
 time_t imap_parse_date (char* s);
 void imap_make_date (char* buf, time_t timestamp);
 void imap_qualify_path (char *dest, size_t len, IMAP_MBOX *mx, char* path);
-void imap_quote_string (char* dest, size_t slen, const char* src);
+void imap_quote_string (char* dest, size_t dlen, const char* src);
+void imap_quote_string_and_backquotes (char *dest, size_t dlen, const char *src);
 void imap_unquote_string (char* s);
 void imap_munge_mbox_name (IMAP_DATA *idata, char *dest, size_t dlen, const char *src);
 void imap_unmunge_mbox_name (IMAP_DATA *idata, char *s);

diff --git a/imap/util.c b/imap/util.c
index 914c93c3c965bb12641e933b260baeb4cabbb933..3274a70c58058b6fd39919db0f6e1a31f3ac906f 100644 (file)
--- a/imap/util.c
+++ b/imap/util.c
@@ -608,11 +608,9 @@ void imap_qualify_path (char *dest, size_t len, IMAP_MBOX *mx, char* path)
 }
 
 
-/* imap_quote_string: quote string according to IMAP rules:
- *   surround string with quotes, escape " and \ with \ */
-void imap_quote_string (char *dest, size_t dlen, const char *src)
+static void _imap_quote_string (char *dest, size_t dlen, const char *src,
+                                const char *to_quote)
 {
-  static const char quote[] = "\"\\";
   char *pt;
   const char *s;
 
@@ -625,7 +623,7 @@ void imap_quote_string (char *dest, size_t dlen, const char *src)
 
   for (; *s && dlen; s++)
   {
-    if (strchr (quote, *s))
+    if (strchr (to_quote, *s))
     {
       dlen -= 2;
       if (!dlen)
@@ -643,6 +641,23 @@ void imap_quote_string (char *dest, size_t dlen, const char *src)
   *pt = 0;
 }
 
+/* imap_quote_string: quote string according to IMAP rules:
+ *   surround string with quotes, escape " and \ with \ */
+void imap_quote_string (char *dest, size_t dlen, const char *src)
+{
+  _imap_quote_string (dest, dlen, src, "\"\\");
+}
+
+/* imap_quote_string_and_backquotes: quote string according to IMAP rules:
+ *   surround string with quotes, escape " and \ with \.
+ * Additionally, escape backquotes with \ to protect against code injection
+ * when using the resulting string in mutt_parse_rc_line().
+ */
+void imap_quote_string_and_backquotes (char *dest, size_t dlen, const char *src)
+{
+  _imap_quote_string (dest, dlen, src, "\"\\`");
+}
+
 /* imap_unquote_string: equally stupid unquoting routine */
 void imap_unquote_string (char *s)
 {