dovecot-2.2: auth: Make sure %{mech} and %{session} is escaped i...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/f59b5a599cae
changeset: 18763:f59b5a599cae
user:      Timo Sirainen <tss at iki.fi>
date:      Fri May 29 20:55:58 2015 +0300
description:
auth: Make sure %{mech} and %{session} is escaped in %var expansion.
%{mech} is already very trusted and %{session} should be only from trusted
sources as well, so this doesn't fix any actual security holes. They are
also unlikely to have ever even been used in anything that requires
escaping.

diffstat:

 src/auth/auth-request-var-expand.c |  4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diffs (21 lines):

diff -r cb66b25060b7 -r f59b5a599cae src/auth/auth-request-var-expand.c
--- a/src/auth/auth-request-var-expand.c	Fri May 29 19:55:47 2015 +0300
+++ b/src/auth/auth-request-var-expand.c	Fri May 29 20:55:58 2015 +0300
@@ -83,7 +83,7 @@
 	tab[2].value = strchr(auth_request->user, '@');
 	if (tab[2].value != NULL)
 		tab[2].value = escape_func(tab[2].value+1, auth_request);
-	tab[3].value = auth_request->service;
+	tab[3].value = escape_func(auth_request->service, auth_request);
 	/* tab[4] = we have no home dir */
 	if (auth_request->local_ip.family != 0)
 		tab[5].value = net_ip2addr(&auth_request->local_ip);
@@ -102,7 +102,7 @@
 			dec2str(auth_request->passdb->passdb->id);
 	}
 	tab[10].value = auth_request->mech_name == NULL ? "" :
-		auth_request->mech_name;
+		escape_func(auth_request->mech_name, auth_request);
 	tab[11].value = auth_request->secured ? "secured" : "";
 	tab[12].value = dec2str(auth_request->local_port);
 	tab[13].value = dec2str(auth_request->remote_port);