# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1102545350 -7200
# Node ID 155386b3149dfe35770c2624d842236f5a06bd4e
# Parent  41a4ea8496d6a7bf3b85d98421f71339b6376747
When master looked for auth request, it didn't check if the authentication
was yet finished, so auth client could have fooled master by beginning
authentication without finishing it. Login processes didn't allow users to
do this though, so no real problem.

diff -r 41a4ea8496d6 -r 155386b3149d src/auth/auth-master-connection.c
--- a/src/auth/auth-master-connection.c	Thu Dec 09 00:06:41 2004 +0200
+++ b/src/auth/auth-master-connection.c	Thu Dec 09 00:35:50 2004 +0200
@@ -130,6 +130,10 @@
 			       client_pid, client_id);
 		}
 		master_send(conn, "NOTFOUND\t%u", id);
+	} else if (!request->successful) {
+		i_error("Master requested unfinished authentication request "
+			"%u.%u", client_pid, client_id);
+		master_send(conn, "NOTFOUND\t%u", id);
 	} else {
 		master_request = i_new(struct master_userdb_request, 1);
 		master_request->conn = conn;
diff -r 41a4ea8496d6 -r 155386b3149d src/auth/mech.c
--- a/src/auth/mech.c	Thu Dec 09 00:06:41 2004 +0200
+++ b/src/auth/mech.c	Thu Dec 09 00:35:50 2004 +0200
@@ -158,6 +158,7 @@
 		return;
 	}
 
+	request->successful = TRUE;
 	if (request->conn != NULL) {
 		request->callback(request, AUTH_CLIENT_RESULT_SUCCESS,
 				  data, data_size);
diff -r 41a4ea8496d6 -r 155386b3149d src/auth/mech.h
--- a/src/auth/mech.h	Thu Dec 09 00:06:41 2004 +0200
+++ b/src/auth/mech.h	Thu Dec 09 00:35:50 2004 +0200
@@ -34,6 +34,7 @@
 	struct ip_addr local_ip, remote_ip;
 	mech_callback_t *callback;
 
+	unsigned int successful:1;
 	unsigned int accept_input:1;
 	unsigned int no_failure_delay:1;
 	unsigned int no_login:1;