Guard against polynomial regular expression used on uncontrolled data in

IMAPReply.TAGGED_RESPONSE
apache · Feb 23, 2024 · 1745292 · 1745292
1 parent f6717be
commit 1745292
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -67,7 +67,8 @@ The <action> type attribute can be add,update,fix,remove.
     <release version="3.11.0" date="202Y-MM-DD" description="Maintenance and bug fix release (Java 8 or above).">
       <!-- FIX -->
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Precompile regular expression in UnixFTPEntryParser.preParse(List&lt;String&gt;).</action>
-      <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against polynomial regular expression used on uncontrolled data in VMSVersioningFTPEntryParser.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against polynomial regular expression used on uncontrolled data in VMSVersioningFTPEntryParser.REGEX.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against polynomial regular expression used on uncontrolled data in IMAPReply.TAGGED_RESPONSE.</action>
       <!-- ADD -->
       <action type="add" issue="NET-726" dev="ggregory" due-to="PJ Fanning, Gary Gregory">Add protected getters to FTPSClient #204.</action>
       <action type="add" dev="ggregory" due-to="Gary Gregory">Add SubnetUtils.toString().</action> 

diff --git a/src/main/java/org/apache/commons/net/imap/IMAPReply.java b/src/main/java/org/apache/commons/net/imap/IMAPReply.java
@@ -62,9 +62,18 @@ public final class IMAPReply {
     // Start of line for continuation replies
     private static final String IMAP_CONTINUATION_PREFIX = "+";
 
-    private static final String TAGGED_RESPONSE = "^\\w+ (\\S+).*"; // TODO perhaps be less strict on tag match?
+    /**
+     * Guard against Polynomial regular expression used on uncontrolled data.
+     *
+     * Don't look for more than 80 letters.
+     * Don't look for more than 80 non-whitespace.
+     * Don't look for more than 80 character.
+     */
+    private static final String TAGGED_RESPONSE = "^\\w{1,80} (\\S{1,80}).{0,80}";
 
-    // tag cannot contain: + ( ) { SP CTL % * " \ ]
+    /**
+     * Tag cannot contain: + ( ) { SP CTL % * " \ ]
+     */
     private static final Pattern TAGGED_PATTERN = Pattern.compile(TAGGED_RESPONSE);
 
     private static final String UNTAGGED_RESPONSE = "^\\* (\\S+).*";