Mercurial > dovecot > core-2.2
changeset 18763:f59b5a599cae
auth: Make sure %{mech} and %{session} is escaped in %var expansion.
%{mech} is already very trusted and %{session} should be only from trusted
sources as well, so this doesn't fix any actual security holes. They are
also unlikely to have ever even been used in anything that requires
escaping.
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Fri, 29 May 2015 20:55:58 +0300 |
| parents | cb66b25060b7 |
| children | fa891f697005 |
| files | src/auth/auth-request-var-expand.c |
| diffstat | 1 files changed, 2 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request-var-expand.c Fri May 29 19:55:47 2015 +0300 +++ b/src/auth/auth-request-var-expand.c Fri May 29 20:55:58 2015 +0300 @@ -83,7 +83,7 @@ tab[2].value = strchr(auth_request->user, '@'); if (tab[2].value != NULL) tab[2].value = escape_func(tab[2].value+1, auth_request); - tab[3].value = auth_request->service; + tab[3].value = escape_func(auth_request->service, auth_request); /* tab[4] = we have no home dir */ if (auth_request->local_ip.family != 0) tab[5].value = net_ip2addr(&auth_request->local_ip); @@ -102,7 +102,7 @@ dec2str(auth_request->passdb->passdb->id); } tab[10].value = auth_request->mech_name == NULL ? "" : - auth_request->mech_name; + escape_func(auth_request->mech_name, auth_request); tab[11].value = auth_request->secured ? "secured" : ""; tab[12].value = dec2str(auth_request->local_port); tab[13].value = dec2str(auth_request->remote_port);