From a010f629f0493464e097c6ee7630cbd059eab24c Mon Sep 17 00:00:00 2001
From: smizrahi <seb.mizrahi@gmail.com>
Date: Wed, 30 Nov 2022 12:40:52 +0100
Subject: [PATCH] fix(security): Security fix for WSTG-INPV-02. Fix NSException
 where mailIdentities is invalid on init. Closes #5651.

---
 SoObjects/SOGo/SOGoUserDefaults.m | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/SoObjects/SOGo/SOGoUserDefaults.m b/SoObjects/SOGo/SOGoUserDefaults.m
index 99dc81b45..357f8ebe6 100644
--- a/SoObjects/SOGo/SOGoUserDefaults.m
+++ b/SoObjects/SOGo/SOGoUserDefaults.m
@@ -799,15 +799,19 @@ NSString *SOGoPasswordRecoverySecondaryEmail = @"SecondaryEmail";
 {
   NSMutableArray *mailIdentities;
   NSMutableDictionary *mailIdentity;
+  NSString *fullName;
   NSUInteger i;
 
   // Remove possible XSS injection
   mailIdentities = [NSMutableArray arrayWithArray: [self arrayForKey: @"SOGoMailIdentities"]];
   for (i = 0 ; i < [mailIdentities length] ; i++) {
     mailIdentity = [mailIdentities objectAtIndex: i];
-    if ([mailIdentity objectForKey: @"fullName"]) {
-      [mailIdentity setObject: [[mailIdentity objectForKey: @"fullName"] stringWithoutHTMLInjection: YES] forKey: @"fullName"];
-      [mailIdentities setObject: mailIdentity atIndexedSubscript: i];
+    if (mailIdentity && [mailIdentity objectForKey: @"fullName"] && [[self arrayForKey: @"SOGoMailIdentities"] isKindOfClass: [NSString class]]) {
+      fullName = [NSString stringWithString: [self arrayForKey: @"SOGoMailIdentities"]];
+      if (fullName) {
+        [mailIdentity setObject: [fullName stringWithoutHTMLInjection: YES] forKey: @"fullName"];
+        [mailIdentities setObject: mailIdentity atIndexedSubscript: i];
+      }
     }
   }