Better input validation in *Store.createUri()

2024-11-27 03:32:16 -05:00 · 2011-10-13 02:35:08 +02:00 · 2011-10-13 02:35:08 +02:00 · b05750c245
commit b05750c245
parent 7a9c747db9
4 changed files with 40 additions and 15 deletions
--- a/src/com/fsck/k9/mail/store/ImapStore.java
+++ b/src/com/fsck/k9/mail/store/ImapStore.java
@ -237,7 +237,8 @@ public class ImapStore extends Store {
        String passwordEnc;
        try {
            userEnc = URLEncoder.encode(server.username, "UTF-8");
-            passwordEnc = URLEncoder.encode(server.password, "UTF-8");
+            passwordEnc = (server.password != null) ?
+                    URLEncoder.encode(server.password, "UTF-8") : "";
        }
        catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException("Could not encode username or password", e);
@ -263,7 +264,15 @@ public class ImapStore extends Store {
                break;
        }

-        String userInfo = server.authenticationType + ":" + userEnc + ":" + passwordEnc;
+        AuthType authType;
+        try {
+            authType = AuthType.valueOf(server.authenticationType);
+        } catch (Exception e) {
+            throw new IllegalArgumentException("Invalid authentication type: " +
+                    server.authenticationType);
+        }
+
+        String userInfo = authType.toString() + ":" + userEnc + ":" + passwordEnc;
        try {
            Map<String, String> extra = server.getExtra();
            String prefix = (extra != null) ? extra.get(ImapStoreSettings.PATH_PREFIX_KEY) : null;
--- a/src/com/fsck/k9/mail/store/Pop3Store.java
+++ b/src/com/fsck/k9/mail/store/Pop3Store.java
@ -121,7 +121,8 @@ public class Pop3Store extends Store {
        String passwordEnc;
        try {
            userEnc = URLEncoder.encode(server.username, "UTF-8");
-            passwordEnc = URLEncoder.encode(server.password, "UTF-8");
+            passwordEnc = (server.password != null) ?
+                    URLEncoder.encode(server.password, "UTF-8") : "";
        }
        catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException("Could not encode username or password", e);
--- a/src/com/fsck/k9/mail/store/WebDavStore.java
+++ b/src/com/fsck/k9/mail/store/WebDavStore.java
@ -203,7 +203,8 @@ public class WebDavStore extends Store {
        String passwordEnc;
        try {
            userEnc = URLEncoder.encode(server.username, "UTF-8");
-            passwordEnc = URLEncoder.encode(server.password, "UTF-8");
+            passwordEnc = (server.password != null) ?
+                    URLEncoder.encode(server.password, "UTF-8") : "";
        }
        catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException("Could not encode username or password", e);
@ -229,15 +230,22 @@ public class WebDavStore extends Store {
                break;
        }

-        Map<String, String> extra = server.getExtra();
        String userInfo = userEnc + ":" + passwordEnc;
-        String path = extra.get(WebDavStoreSettings.PATH_KEY);
-        path = (path != null) ? path : "";
-        String authPath = extra.get(WebDavStoreSettings.AUTH_PATH_KEY);
-        authPath = (authPath != null) ? authPath : "";
-        String mailboxPath = extra.get(WebDavStoreSettings.MAILBOX_PATH_KEY);
-        mailboxPath = (mailboxPath != null) ? mailboxPath : "";
-        String uriPath = path + "|" + authPath + "|" + mailboxPath;
+
+        String uriPath;
+        Map<String, String> extra = server.getExtra();
+        if (extra != null) {
+            String path = extra.get(WebDavStoreSettings.PATH_KEY);
+            path = (path != null) ? path : "";
+            String authPath = extra.get(WebDavStoreSettings.AUTH_PATH_KEY);
+            authPath = (authPath != null) ? authPath : "";
+            String mailboxPath = extra.get(WebDavStoreSettings.MAILBOX_PATH_KEY);
+            mailboxPath = (mailboxPath != null) ? mailboxPath : "";
+            uriPath = path + "|" + authPath + "|" + mailboxPath;
+        } else {
+            uriPath = "||";
+        }
+
        try {
            return new URI(scheme, userInfo, server.host, server.port, uriPath,
                null, null).toString();
--- a/src/com/fsck/k9/mail/transport/SmtpTransport.java
+++ b/src/com/fsck/k9/mail/transport/SmtpTransport.java
@ -129,8 +129,10 @@ public class SmtpTransport extends Transport {
        String userEnc;
        String passwordEnc;
        try {
-            userEnc = URLEncoder.encode(server.username, "UTF-8");
-            passwordEnc = URLEncoder.encode(server.password, "UTF-8");
+            userEnc = (server.username != null) ?
+                    URLEncoder.encode(server.username, "UTF-8") : "";
+            passwordEnc = (server.password != null) ?
+                    URLEncoder.encode(server.password, "UTF-8") : "";
        }
        catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException("Could not encode username or password", e);
@ -156,7 +158,12 @@ public class SmtpTransport extends Transport {
                break;
        }

-        String userInfo = userEnc + ":" + passwordEnc + ":" + server.authenticationType;
+        String authType = server.authenticationType;
+        if (!"CRAM_MD5".equals(authType) && !"PLAIN".equals(authType)) {
+            throw new IllegalArgumentException("Invalid authentication type: " + authType);
+        }
+
+        String userInfo = userEnc + ":" + passwordEnc + ":" + authType;
        try {
            return new URI(scheme, userInfo, server.host, server.port, null, null,
                    null).toString();