Decode UTF-7 more strictly

nobu · shugo · commit ed4786b010dd · 2023-06-09T17:12:51.000+09:00
Reported by svalkanov in <https://hackerone.com/reports/1969040>.
diff --git a/lib/net/imap/data_encoding.rb b/lib/net/imap/data_encoding.rb
@@ -54,9 +54,9 @@ class IMAP < Protocol
     # Net::IMAP does _not_ automatically encode and decode
     # mailbox names to and from UTF-7.
     def self.decode_utf7(s)
-      return s.gsub(/&([^-]+)?-/n) {
-        if $1
-          ($1.tr(",", "/") + "===").unpack1("m").encode(Encoding::UTF_8, Encoding::UTF_16BE)
+      return s.gsub(/&([A-Za-z0-9+,]+)?-/n) {
+        if base64 = $1
+          (base64.tr(",", "/") + "===").unpack1("m").encode(Encoding::UTF_8, Encoding::UTF_16BE)
         else
           "&"
         end
diff --git a/test/net/imap/test_imap_data_encoding.rb b/test/net/imap/test_imap_data_encoding.rb
@@ -29,6 +29,10 @@ def test_decode_utf7
     s = Net::IMAP.decode_utf7("&,yH,Iv8j-")
     utf8 = "\357\274\241\357\274\242\357\274\243".dup.force_encoding("UTF-8")
     assert_equal(utf8, s)
+
+    assert_linear_performance([1, 10, 100], pre: ->(n) {'&'*(n*1_000)}) do |s|
+      Net::IMAP.decode_utf7(s)
+    end
   end
 
   def test_encode_date
