fix(security): Security fix for WSTG-INPV-02. Fix NSException where mailIdentities is invalid on init. Closes #5651.

2026-05-19 18:35:25 +00:00 · 2022-11-30 12:40:52 +01:00
parent 6971ebd2d1
commit a010f629f0
1 changed files with 7 additions and 3 deletions
@@ -799,15 +799,19 @@ NSString *SOGoPasswordRecoverySecondaryEmail = @"SecondaryEmail";
 {
  NSMutableArray *mailIdentities;
  NSMutableDictionary *mailIdentity;
+  NSString *fullName;
  NSUInteger i;

  // Remove possible XSS injection
  mailIdentities = [NSMutableArray arrayWithArray: [self arrayForKey: @"SOGoMailIdentities"]];
  for (i = 0 ; i < [mailIdentities length] ; i++) {
    mailIdentity = [mailIdentities objectAtIndex: i];
-    if ([mailIdentity objectForKey: @"fullName"]) {
-      [mailIdentity setObject: [[mailIdentity objectForKey: @"fullName"] stringWithoutHTMLInjection: YES] forKey: @"fullName"];
-      [mailIdentities setObject: mailIdentity atIndexedSubscript: i];
+    if (mailIdentity && [mailIdentity objectForKey: @"fullName"] && [[self arrayForKey: @"SOGoMailIdentities"] isKindOfClass: [NSString class]]) {
+      fullName = [NSString stringWithString: [self arrayForKey: @"SOGoMailIdentities"]];
+      if (fullName) {
+        [mailIdentity setObject: [fullName stringWithoutHTMLInjection: YES] forKey: @"fullName"];
+        [mailIdentities setObject: mailIdentity atIndexedSubscript: i];
+      }
    }
  }