auth: Make sure %{mech} and %{session} is escaped in %var expansion.

%{mech} is already very trusted and %{session} should be only from trusted
sources as well, so this doesn't fix any actual security holes. They are
also unlikely to have ever even been used in anything that requires
escaping.

diff --git a/src/auth/auth-request-var-expand.c b/src/auth/auth-request-var-expand.c
index 69eed2e5fd6d62b9d7f8d55d5195d8fa7c3081c4..e7d48b622a4f2694afa42cd9bec69c022088ed60 100644 (file)
--- a/src/auth/auth-request-var-expand.c
+++ b/src/auth/auth-request-var-expand.c
@@ -83,7 +83,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
        tab[2].value = strchr(auth_request->user, '@');
        if (tab[2].value != NULL)
                tab[2].value = escape_func(tab[2].value+1, auth_request);
-       tab[3].value = auth_request->service;
+       tab[3].value = escape_func(auth_request->service, auth_request);
        /* tab[4] = we have no home dir */
        if (auth_request->local_ip.family != 0)
                tab[5].value = net_ip2addr(&auth_request->local_ip);
@@ -102,7 +102,7 @@ auth_request_get_var_expand_table_full(const struct auth_request *auth_request,
                        dec2str(auth_request->passdb->passdb->id);
        }
        tab[10].value = auth_request->mech_name == NULL ? "" :
-               auth_request->mech_name;
+               escape_func(auth_request->mech_name, auth_request);
        tab[11].value = auth_request->secured ? "secured" : "";
        tab[12].value = dec2str(auth_request->local_port);
        tab[13].value = dec2str(auth_request->remote_port);