Merge branch 'advisory-fix-1'

rubdos · rubdos · commit bea8e732b9ca · 2023-09-19T12:19:38.000+02:00
Fixes a panic vulnerability CVE-2023-42444 See advisory GHSA-whhr-7f2w-qqj2
diff --git a/src/parser/mod.rs b/src/parser/mod.rs
@@ -292,4 +292,10 @@ mod test {
         let res = parser::parse(None, " 2 22#:");
         assert!(res.is_err());
     }
+
+    #[test]
+    fn advisory_1() {
+        let res = parser::parse(None, ".;phone-context=");
+        assert!(res.is_err(), "{res:?}");
+    }
 }
diff --git a/src/parser/rfc3966.rs b/src/parser/rfc3966.rs
@@ -44,7 +44,7 @@ pub fn phone_number(i: &str) -> IResult<&str, Number> {
                     params
                         .as_ref()
                         .and_then(|m| m.get("phone-context"))
-                        .map(|&s| if s.as_bytes()[0] == b'+' { &s[1..] } else { s })
+                        .map(|&s| s.strip_prefix('+').unwrap_or(s))
                 })
                 .map(|cs| cs.into()),
 
@@ -165,4 +165,10 @@ mod test {
             }
         );
     }
+
+    #[test]
+    fn advisory_1() {
+        // Just make sure this does not panic.
+        let _ = rfc3966::phone_number(".;phone-context=");
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -292,4 +292,10 @@ mod test {`
`292`	`292`	`let res = parser::parse(None, " 2 22#:");`
`293`	`293`	`assert!(res.is_err());`
`294`	`294`	`}`
	`295`	`+`
	`296`	`+ #[test]`
	`297`	`+ fn advisory_1() {`
	`298`	`+ let res = parser::parse(None, ".;phone-context=");`
	`299`	`+ assert!(res.is_err(), "{res:?}");`
	`300`	`+ }`
`295`	`301`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ pub fn phone_number(i: &str) -> IResult<&str, Number> {`
`44`	`44`	`params`
`45`	`45`	`.as_ref()`
`46`	`46`	`.and_then(\|m\| m.get("phone-context"))`
`47`		`- .map(\|&s\| if s.as_bytes()[0] == b'+' { &s[1..] } else { s })`
	`47`	`+ .map(\|&s\| s.strip_prefix('+').unwrap_or(s))`
`48`	`48`	`})`
`49`	`49`	`.map(\|cs\| cs.into()),`
`50`	`50`
`@@ -165,4 +165,10 @@ mod test {`
`165`	`165`	`}`
`166`	`166`	`);`
`167`	`167`	`}`
	`168`	`+`
	`169`	`+ #[test]`
	`170`	`+ fn advisory_1() {`
	`171`	`+ // Just make sure this does not panic.`
	`172`	`+ let _ = rfc3966::phone_number(".;phone-context=");`
	`173`	`+ }`
`168`	`174`	`}`