From 20f3988a79927ab5c8208c725f9b667d9d27a501 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 31 Jul 2024 18:11:31 +0200
Subject: [PATCH] Fix infinite loop when parsing malformed Sieve script (#9562)

---
 CHANGELOG.md                                       |  1 +
 plugins/managesieve/Changelog                      |  1 +
 .../lib/Roundcube/rcube_sieve_script.php           |  7 ++++---
 .../managesieve/tests/ManagesieveScriptTest.php    | 14 ++++++++++++++
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 840393a885..561e82a4a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -67,6 +67,7 @@
 - Fix bug where "with attachment" filter could fail on some fts engines (#9514)
 - Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
 - Fix bug where a long subject title could not be displayed in some cases (#9416)
+- Fix infinite loop when parsing malformed Sieve script (#9562)
 
 ## Release 1.6.7
 
diff --git a/plugins/managesieve/Changelog b/plugins/managesieve/Changelog
index 8dac12b076..d436dbb00b 100644
--- a/plugins/managesieve/Changelog
+++ b/plugins/managesieve/Changelog
@@ -2,6 +2,7 @@
 - Fix javascript error when relational or spamtest extension is not enabled (#9139)
 - Support an array in managesieve_host option (#9447)
 - Protect special scripts in managesieve_kolab_master mode
+- Fix infinite loop when parsing a malformed script (#9562)
 
 * version 9.5 [2023-03-26]
 -----------------------------------------------------------
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php
index 7028b7f96e..fddff339fa 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_script.php
@@ -1306,9 +1306,10 @@ public static function tokenize($str, $num = 0, &$position = 0)
                     break;
                     // bracket-comment (<< reindent once https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/issues/7179 is fixed)
                 case '/':
-                    if ($str[$position + 1] == '*') {
-                        if ($end_pos = strpos($str, '*/', $position + 2)) {
-                            $position = $end_pos + 2;
+                    $position++;
+                    if ($str[$position] == '*') {
+                        if ($end_pos = strpos($str, '*/', $position + 1)) {
+                            $position = $end_pos + 1;
                         } else {
                             // error
                             $position = $length;
diff --git a/plugins/managesieve/tests/ManagesieveScriptTest.php b/plugins/managesieve/tests/ManagesieveScriptTest.php
index c1c65ad175..6aa1501252 100644
--- a/plugins/managesieve/tests/ManagesieveScriptTest.php
+++ b/plugins/managesieve/tests/ManagesieveScriptTest.php
@@ -59,6 +59,20 @@ public static function provide_parser_cases(): iterable
         return $result;
     }
 
+    /**
+     * Sieve script parsing
+     */
+    public function test_parser_bug9562()
+    {
+        // This is an obviously invalid script
+        $input = "vacation :subject \"a\" :from \"b\"\n<a href=\"https://test.org/\">test</a>";
+        $script = new \rcube_sieve_script($input);
+        $result = $script->as_text();
+
+        // TODO: The output still is BS, but it at least does not cause an infinite loop
+        $this->assertSame("require [\"vacation\"];\r\nvacation :subject \"a\" :from \"b\" \"a\";\r\n", $result);
+    }
+
     public static function provide_tokenizer_cases(): iterable
     {
         return [