Merge pull request #150 from DirectoryTree/escape-id

Escape ID command parameters to prevent injection

Author: stevebauman

src/Connection/ImapConnection.php

@@ -539,7 +539,7 @@ public function id(?array $ids = null): UntaggedResponse
             $token = '(';
 
             foreach ($ids as $id) {
-                $token .= '"'.$id.'" ';
+                $token .= '"'.Str::escape($id).'" ';
             }
 
             $token = rtrim($token).')';

tests/Unit/Connection/ImapConnectionTest.php

@@ -648,6 +648,28 @@
     expect($response->type()->is('ID'))->toBeTrue();
 });
 
+test('id escapes special characters to prevent command injection', function () {
+    $stream = new FakeStream;
+    $stream->open();
+
+    $stream->feed([
+        '* OK Welcome to IMAP',
+        '* ID NIL',
+        'TAG1 OK ID completed',
+    ]);
+
+    $connection = new ImapConnection($stream);
+    $connection->connect('imap.example.com');
+
+    $connection->id([
+        'name' => 'Evil"Client',
+        'version' => "1.0\r\nLOGOUT",
+        'vendor' => 'Test\\Vendor',
+    ]);
+
+    $stream->assertWritten('TAG1 ID ("Evil\\"Client" "1.0LOGOUT" "Test\\\\Vendor")');
+});
+
 test('expunge', function () {
     $stream = new FakeStream;
     $stream->open();