Mercurial > dovecot > core-2.2

diff src/director/login-connection.c @ 22311:25af9d4dad59

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
global: Replaced t_strsplit_tab() calls with t_strsplit_tabescaped() This is useful especially in auth code to support LFs in extra fields. Other pieces of code were also tab-escaping strings, but never unescaping them. Usually it didn't matter, because nobody would use the escaped characters. Still, the code wasn't exactly behaving correctly. One downside to this change is that it's now possible to pass through TABs, CRs and LFs through the various protocols. In theory this shouldn't cause any problems, but combined with other bugs this could trigger some security problems.
author Timo Sirainen <timo.sirainen@dovecot.fi>
date Thu, 20 Oct 2016 17:45:44 +0300
parents 2e2563132d5f
children 2ed6735ffc7a
line wrap: on
line diff
--- a/src/director/login-connection.c	Wed May 17 12:26:42 2017 +0300
+++ b/src/director/login-connection.c	Thu Oct 20 17:45:44 2016 +0300
@@ -7,6 +7,7 @@
 #include "istream.h"
 #include "ostream.h"
 #include "llist.h"
+#include "strescape.h"
 #include "master-service.h"
 #include "director.h"
 #include "director-request.h"
@@ -199,7 +200,7 @@
 	}
 
 	/* OK <id> [<parameters>] */
-	args = t_strsplit_tab(line_params);
+	args = t_strsplit_tabescaped(line_params);
 	if (*args != NULL) {
 		/* we should always get here, but in case we don't just
 		   forward as-is and let login process handle the error. */