Decode UTF-7 more strictly

Reported by svalkanov in <https://hackerone.com/reports/1969040>.
ruby · Jun 9, 2023 · ed4786b · ed4786b
1 parent 203e243
commit ed4786b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/lib/net/imap/data_encoding.rb b/lib/net/imap/data_encoding.rb
@@ -54,9 +54,9 @@ class IMAP < Protocol
     # Net::IMAP does _not_ automatically encode and decode
     # mailbox names to and from UTF-7.
     def self.decode_utf7(s)
-      return s.gsub(/&([^-]+)?-/n) {
-        if $1
-          ($1.tr(",", "/") + "===").unpack1("m").encode(Encoding::UTF_8, Encoding::UTF_16BE)
+      return s.gsub(/&([A-Za-z0-9+,]+)?-/n) {
+        if base64 = $1
+          (base64.tr(",", "/") + "===").unpack1("m").encode(Encoding::UTF_8, Encoding::UTF_16BE)
         else
           "&"
         end

diff --git a/test/net/imap/test_imap_data_encoding.rb b/test/net/imap/test_imap_data_encoding.rb
@@ -29,6 +29,10 @@ def test_decode_utf7
     s = Net::IMAP.decode_utf7("&,yH,Iv8j-")
     utf8 = "\357\274\241\357\274\242\357\274\243".dup.force_encoding("UTF-8")
     assert_equal(utf8, s)
+
+    assert_linear_performance([1, 10, 100], pre: ->(n) {'&'*(n*1_000)}) do |s|
+      Net::IMAP.decode_utf7(s)
+    end
   end
 
   def test_encode_date