)]}'
{
  "commit": "20210882f3e919bdee81cbe0acf4c7b6b5c00ae6",
  "tree": "74dd30fea130db4c9b244f09ce939804bd8dcded",
  "parents": [
    "0f1e76b8eeec0b06a65bc88763aa6f28e8e4003b"
  ],
  "author": {
    "name": "Maxim Dounin",
    "email": "mdounin@mdounin.ru",
    "time": "Wed May 19 03:13:20 2021 +0300"
  },
  "committer": {
    "name": "Maxim Dounin",
    "email": "mdounin@mdounin.ru",
    "time": "Wed May 19 03:13:20 2021 +0300"
  },
  "message": "Mail: fixed s-\u003earg_start clearing on invalid IMAP commands.\n\nPreviously, s-\u003earg_start was left intact after invalid IMAP commands,\nand this might result in an argument incorrectly added to the following\ncommand.  Similarly, s-\u003ebackslash was left intact as well, leading\nto unneeded backslash removal.\n\nFor example (LFs from the client are explicitly shown as \"\u003cLF\u003e\"):\n\n  S: * OK IMAP4 ready\n  C: a01 login \"\\\u003cLF\u003e\n  S: a01 BAD invalid command\n  C: a0000000000\\2 authenticate \u003cLF\u003e\n  S: a00000000002 aBAD invalid command\n\nThe backslash followed by LF generates invalid command with s-\u003earg_start\nand s-\u003ebackslash set, the following command incorrectly treats anything\nfrom the old s-\u003earg_start to the space after the command as an argument,\nand removes the backslash from the tag.  If there is no space, s-\u003earg_end\nwill be NULL.\n\nBoth things seem to be harmless though.  In particular:\n\n- This can be used to provide an incorrect argument to a command without\n  arguments.  The only command which seems to look at the single argument\n  is AUTHENTICATE, and it checks the argument length before trying to\n  access it.\n\n- Backslash removal uses the \"end\" pointer, and stops due to \"src \u003c end\"\n  condition instead of scanning all the process memory if s-\u003earg_end is\n  NULL (and arg[0].len is huge).\n\n- There should be no backslashes in unquoted strings.\n\nAn obvious fix is to clear s-\u003earg_start and s-\u003ebackslash on invalid commands,\nsimilarly to how it is done in POP3 parsing (added in 810:e3aa8f305d21) and\nSMTP parsing.\n\nThis, however, makes it clear that s-\u003earg_start handling in the \"done\"\nlabel is wrong: s-\u003earg_start cannot be legitimately set there, as it\nis expected to be cleared in all possible cases when the \"done\" label is\nreached.  The relevant code is dead and will be removed by the following\nchange.\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "e55010c60749001b0ce2a8a167b886f615eaed9c",
      "old_mode": 33188,
      "old_path": "src/mail/ngx_mail_parse.c",
      "new_id": "5d5f3b460a50c586d35b57a48efbe079db144b50",
      "new_mode": 33188,
      "new_path": "src/mail/ngx_mail_parse.c"
    }
  ]
}