Merge branch 'advisory-fix-1'

Fixes a panic vulnerability CVE-2023-42444 See advisory GHSA-whhr-7f2w-qqj2
whisperfish · Sep 19, 2023 · bea8e73 · bea8e73
2 parents 6e1d06b + 2dddb87
commit bea8e73
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/src/parser/mod.rs b/src/parser/mod.rs
@@ -292,4 +292,10 @@ mod test {
         let res = parser::parse(None, " 2 22#:");
         assert!(res.is_err());
     }
+
+    #[test]
+    fn advisory_1() {
+        let res = parser::parse(None, ".;phone-context=");
+        assert!(res.is_err(), "{res:?}");
+    }
 }
diff --git a/src/parser/rfc3966.rs b/src/parser/rfc3966.rs
@@ -44,7 +44,7 @@ pub fn phone_number(i: &str) -> IResult<&str, Number> {
                     params
                         .as_ref()
                         .and_then(|m| m.get("phone-context"))
-                        .map(|&s| if s.as_bytes()[0] == b'+' { &s[1..] } else { s })
+                        .map(|&s| s.strip_prefix('+').unwrap_or(s))
                 })
                 .map(|cs| cs.into()),
 
@@ -165,4 +165,10 @@ mod test {
             }
         );
     }
+
+    #[test]
+    fn advisory_1() {
+        // Just make sure this does not panic.
+        let _ = rfc3966::phone_number(".;phone-context=");
+    }
 }