Mail: stricter checking of IMAP tags.

Only "A-Za-z0-9-._" characters now allowed (which is stricter than what
RFC 3501 requires, but expected to be enough for all known clients),
and tags shouldn't be longer than 32 characters.

diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
index cc5293093d3b747c6c76849dbc2e476d3f14c946..47c9e3a90747589cb7adc3bbebccc30153e81985 100644 (file)
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -265,6 +265,17 @@ ngx_mail_imap_parse_command(ngx_mail_session_t *s)
             case LF:
                 s->state = sw_start;
                 return NGX_MAIL_PARSE_INVALID_COMMAND;
+            default:
+                if ((ch < 'A' || ch > 'Z') && (ch < 'a' || ch > 'z')
+                    && (ch < '0' || ch > '9') && ch != '-' && ch != '.'
+                    && ch != '_')
+                {
+                    goto invalid;
+                }
+                if (p - s->buffer->start > 31) {
+                    goto invalid;
+                }
+                break;
             }
             break;