Guard against polynomial regular expression used on uncontrolled data in

IMAPReply.UNTAGGED_RESPONSE

src/changes/changes.xml

@@ -69,6 +69,7 @@ The <action> type attribute can be add,update,fix,remove.
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Precompile regular expression in UnixFTPEntryParser.preParse(List&lt;String&gt;).</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against polynomial regular expression used on uncontrolled data in VMSVersioningFTPEntryParser.REGEX.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against polynomial regular expression used on uncontrolled data in IMAPReply.TAGGED_RESPONSE.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against polynomial regular expression used on uncontrolled data in IMAPReply.UNTAGGED_RESPONSE.</action>
       <!-- ADD -->
       <action type="add" issue="NET-726" dev="ggregory" due-to="PJ Fanning, Gary Gregory">Add protected getters to FTPSClient #204.</action>
       <action type="add" dev="ggregory" due-to="Gary Gregory">Add SubnetUtils.toString().</action> 

src/main/java/org/apache/commons/net/imap/IMAPReply.java

@@ -76,7 +76,13 @@ public final class IMAPReply {
      */
     private static final Pattern TAGGED_PATTERN = Pattern.compile(TAGGED_RESPONSE);
 
-    private static final String UNTAGGED_RESPONSE = "^\\* (\\S+).*";
+    /**
+     * Guard against Polynomial regular expression used on uncontrolled data.
+     *
+     * Don't look for more than 80 backslashes.
+     * Don't look for more than 80 character.
+     */
+    private static final String UNTAGGED_RESPONSE = "^\\* (\\S{1,80}).{0,80}";
 
     private static final Pattern UNTAGGED_PATTERN = Pattern.compile(UNTAGGED_RESPONSE);
     private static final Pattern LITERAL_PATTERN = Pattern.compile("\\{(\\d+)\\}$"); // {dd}