diff --git a/ChangeLog b/ChangeLog index 0126ccfd5..32a692dd9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -200,6 +200,7 @@ Version 1.5.2 - SVN charset conversion exploits, and request forgery through included images. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting these issues. [CVE-2007-1262] + - Fix busy loop and notice when two literals in IMAP fetch (#1739433). Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/imap_general.php b/functions/imap_general.php index a0db4b45d..6011497eb 100755 --- a/functions/imap_general.php +++ b/functions/imap_general.php @@ -466,6 +466,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, we prohibid that literal responses appear in the outer loop so we can trust the untagged and tagged info provided by $read */ + $read_literal = false; if ($s === "}\r\n") { $j = strrpos($read,'{'); $iLit = substr($read,$j+1,-3); @@ -490,7 +491,9 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, if ($read === false) { /* error */ break 4; /* while while switch while */ } - $fetch_data[] = $read; + $s = substr($read,-3); + $read_literal = true; + continue; } else { $fetch_data[] = $read; } @@ -503,7 +506,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, /* check for next untagged reponse and break */ if ($read{0} == '*') break 2; $s = substr($read,-3); - } while ($s === "}\r\n"); + } while ($s === "}\r\n" || $read_literal); $s = substr($read,-3); } while ($read{0} !== '*' && substr($read,0,strlen($tag)) !== $tag);