Use stricter parsing logic for quoted-strings in addr-specs

Switched to using a stricter version of SkipQuoted that is more
specifically designed for quoted-string local-parts in addr-spec
tokens.

The main intention is to prevent MailboxAddresses from having an
Address property that contains <CR><LF> sequences which can be
used to exploit `MAIL FROM` and/or `RCPT TO` SMTP commands by
injecting arbitrary SMTP commands within the quoted local-part
of a mailbox address.

Author: jstedfast

MimeKit/InternetAddress.cs

@@ -307,6 +307,80 @@ protected virtual void OnChanged ()
 			Changed?.Invoke (this, EventArgs.Empty);
 		}
 
+		static bool SkipQuoted (byte[] text, ref int index, int endIndex, bool throwOnError)
+		{
+			// From rfc5322:
+			//
+			// qcontent        =   qtext / quoted-pair
+			//
+			// qtext           =   %d33 /             ; Printable US-ASCII
+			//                     %d35-91 /          ; characters not including
+			//                     %d93-126 /         ; "\" or the quote character
+			//                     obs-qtext
+			//
+			// obs-qtext       =   <any CHAR excepting <">,     ; => may be folded
+			//                     "\" & CR, and including
+			//                     linear-white-space>
+			//
+			// quoted-pair     =   ("\" (VCHAR / WSP)) / obs-qp
+			//
+			// VCHAR           =  %x21-7E             ; visible (printing) characters
+			//
+			// WSP             =  SP / HTAB           ; white space
+			int startIndex = index;
+			bool escaped = false;
+
+			// skip over leading '"'
+			index++;
+
+			while (index < endIndex) {
+				byte c = text[index];
+
+				if (c == (byte) '\\') {
+					escaped = !escaped;
+				} else if (!escaped) {
+					if (c == (byte) '"')
+						break;
+
+					// Note: the qtext definition from rfc5322 accepts %d33, %d35-91, and %d93-126 and so you
+					// might expect that we limit the characters to those ranges, but rfc6532 extends the qtext
+					// definition to allow UTF-8 characters and so we need to allow for that as well. In addition
+					// to that, obs-qtext also explicitly allows linear whitespace (SPACE %d32 and HTAB %d09), so
+					// the only characters that are not allowed are the control characters (%d0-8 and %d10-31),
+					// the double-quote character (%d34), and the delete character (%d127).
+					if (c < 9 || (c > 9 && c < 32) || c == 34 || c == 127) {
+						if (throwOnError)
+							throw new ParseException (string.Format (CultureInfo.InvariantCulture, "Invalid character in quoted-string token at offset {0}", startIndex), startIndex, index);
+
+						return false;
+					}
+				} else {
+					if (c < 9 || (c > 9 && c < 32) || c == 127) {
+						if (throwOnError)
+							throw new ParseException (string.Format (CultureInfo.InvariantCulture, "Invalid quoted-pair in quoted-string token at offset {0}", startIndex), startIndex, index);
+
+						return false;
+					}
+
+					escaped = false;
+				}
+
+				index++;
+			}
+
+			if (index >= endIndex) {
+				if (throwOnError)
+					throw new ParseException (string.Format (CultureInfo.InvariantCulture, "Incomplete quoted-string token at offset {0}", startIndex), startIndex, index);
+
+				return false;
+			}
+
+			// skip over the closing '"'
+			index++;
+
+			return true;
+		}
+
 		internal static bool TryParseLocalPart (byte[] text, ref int index, int endIndex, RfcComplianceMode compliance, bool skipTrailingCfws, bool throwOnError, [NotNullWhen (true)] out string? localpart)
 		{
 			using var token = new ValueStringBuilder (128);
@@ -319,7 +393,7 @@ internal static bool TryParseLocalPart (byte[] text, ref int index, int endIndex
 				int start = index;
 
 				if (text[index] == (byte) '"') {
-					if (!ParseUtils.SkipQuoted (text, ref index, endIndex, throwOnError))
+					if (!SkipQuoted (text, ref index, endIndex, throwOnError))
 						return false;
 				} else if (text[index].IsAtom ()) {
 					if (!ParseUtils.SkipAtom (text, ref index, endIndex))

UnitTests/InternetAddressTests.cs

@@ -183,6 +183,42 @@ public void TestParseMailboxWithIncompleteLocalPart ()
 			AssertParseFailure (text, false, tokenIndex, errorIndex);
 		}
 
+		[Test]
+		public void TestParseMailboxWithInvalidQuotedLocalPart ()
+		{
+			const string text = "\"invalid\r\nquoted\"@domain.com";
+			int errorIndex = text.IndexOf ('\r');
+			const int tokenIndex = 0;
+
+			AssertParseFailure (text, false, tokenIndex, errorIndex);
+		}
+
+		[Test]
+		public void TestParseMailboxWithInvalidQuotedPairLocalPart ()
+		{
+			const string text = "\"invalid\\\rquoted\"@domain.com";
+			int errorIndex = text.IndexOf ('\r');
+			const int tokenIndex = 0;
+
+			AssertParseFailure (text, false, tokenIndex, errorIndex);
+		}
+
+		[Test]
+		public void TestParseMailboxWithValidQuotedLocalPart ()
+		{
+			const string text = "\"\t !\\\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\"@domain.com";
+
+			AssertParse (text);
+		}
+
+		[Test]
+		public void TestParseMailboxWithValidUTF8QuotedLocalPart ()
+		{
+			const string text = "\"名がドメイン\"@domain.com";
+
+			AssertParse (text);
+		}
+
 		[Test]
 		public void TestParseIncompleteQuotedString ()
 		{

UnitTests/MailboxAddressTests.cs

@@ -349,6 +349,64 @@ public void TestParseMailboxWithIncompleteLocalPart ()
 			AssertParseFailure (text, false, tokenIndex, errorIndex);
 		}
 
+		[Test]
+		public void TestParseMailboxWithInvalidQuotedLocalPart ()
+		{
+			const string text = "\"invalid\r\nquoted\"@domain.com";
+			int errorIndex = text.IndexOf ('\r');
+			const int tokenIndex = 0;
+
+			AssertParseFailure (text, false, tokenIndex, errorIndex);
+
+			try {
+				var mailbox = new MailboxAddress ("Name", text);
+				Assert.Fail ("Expected ParseException in .ctor");
+			} catch (ParseException pex) {
+				Assert.That (pex.TokenIndex, Is.EqualTo (tokenIndex), ".ctor ParseException.TokenIndex");
+				Assert.That (pex.ErrorIndex, Is.EqualTo (errorIndex), ".ctor ParseException.ErrorIndex");
+			} catch (Exception ex) {
+				Assert.Fail ($"Expected ParseException, got {ex.GetType ().Name}");
+			}
+		}
+
+		[Test]
+		public void TestParseMailboxWithInvalidQuotedPairLocalPart ()
+		{
+			const string text = "\"invalid\\\rquoted\"@domain.com";
+			int errorIndex = text.IndexOf ('\r');
+			const int tokenIndex = 0;
+
+			AssertParseFailure (text, false, tokenIndex, errorIndex);
+
+			try {
+				var mailbox = new MailboxAddress ("Name", text);
+				Assert.Fail ("Expected ParseException in .ctor");
+			} catch (ParseException pex) {
+				Assert.That (pex.TokenIndex, Is.EqualTo (tokenIndex), ".ctor ParseException.TokenIndex");
+				Assert.That (pex.ErrorIndex, Is.EqualTo (errorIndex), ".ctor ParseException.ErrorIndex");
+			} catch (Exception ex) {
+				Assert.Fail ($"Expected ParseException, got {ex.GetType ().Name}");
+			}
+		}
+
+		[Test]
+		public void TestParseMailboxWithValidQuotedLocalPart ()
+		{
+			const string text = "\"\t !\\\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\"@domain.com";
+
+			AssertParse (text);
+			Assert.DoesNotThrow (() => new MailboxAddress ("Name", text), "MailboxAddress .ctor should not throw an exception.");
+		}
+
+		[Test]
+		public void TestParseMailboxWithValidUTF8QuotedLocalPart ()
+		{
+			const string text = "\"名がドメイン\"@domain.com";
+
+			AssertParse (text);
+			Assert.DoesNotThrow (() => new MailboxAddress ("Name", text), "MailboxAddress .ctor should not throw an exception.");
+		}
+
 		[Test]
 		public void TestParseIncompleteQuotedString ()
 		{