diff --git a/src/changes/changes.xml b/src/changes/changes.xml index ac4b206b2..3270a779b 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -69,6 +69,7 @@ The type attribute can be add,update,fix,remove. Precompile regular expression in UnixFTPEntryParser.preParse(List<String>). Guard against polynomial regular expression used on uncontrolled data in VMSVersioningFTPEntryParser.REGEX. Guard against polynomial regular expression used on uncontrolled data in IMAPReply.TAGGED_RESPONSE. + Guard against polynomial regular expression used on uncontrolled data in IMAPReply.UNTAGGED_RESPONSE. Add protected getters to FTPSClient #204. Add SubnetUtils.toString(). diff --git a/src/main/java/org/apache/commons/net/imap/IMAPReply.java b/src/main/java/org/apache/commons/net/imap/IMAPReply.java index be72341b6..070b1cb2e 100644 --- a/src/main/java/org/apache/commons/net/imap/IMAPReply.java +++ b/src/main/java/org/apache/commons/net/imap/IMAPReply.java @@ -76,7 +76,13 @@ public final class IMAPReply { */ private static final Pattern TAGGED_PATTERN = Pattern.compile(TAGGED_RESPONSE); - private static final String UNTAGGED_RESPONSE = "^\\* (\\S+).*"; + /** + * Guard against Polynomial regular expression used on uncontrolled data. + * + * Don't look for more than 80 backslashes. + * Don't look for more than 80 character. + */ + private static final String UNTAGGED_RESPONSE = "^\\* (\\S{1,80}).{0,80}"; private static final Pattern UNTAGGED_PATTERN = Pattern.compile(UNTAGGED_RESPONSE); private static final Pattern LITERAL_PATTERN = Pattern.compile("\\{(\\d+)\\}$"); // {dd}