From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 25 Jul 2025 08:41:03 +0000 (+0300)
Subject: auth: auth-cache - Require cache key to contain at least one variable
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0172f8e8c55aff42c688633b2891cf157641366b;p=thirdparty%2Fdovecot%2Fcore.git

auth: auth-cache - Require cache key to contain at least one variable
---

diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
index be56934918..32959f5d0f 100644
--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
@@ -86,6 +86,13 @@ static int auth_cache_parse_key_exclude(pool_t pool, const char *query,
 	const char *const *vars = var_expand_program_variables(prog);
 	str = t_str_new(32);
 
+	if (*vars == NULL && *query != '\0') {
+		var_expand_program_free(&prog);
+		*error_r = t_strdup_printf("%s: Cache key must contain at least one variable",
+					   query);
+		return -1;
+	}
+
 	for (; *vars != NULL; vars++) {
 		/* ignore any providers */
 		if (strchr(*vars, ':') != NULL &&
diff --git a/src/auth/test-auth-cache.c b/src/auth/test-auth-cache.c
index 46836defc6..b36d83ec02 100644
--- a/src/auth/test-auth-cache.c
+++ b/src/auth/test-auth-cache.c
@@ -97,7 +97,35 @@ static void test_auth_cache_parse_key(void)
 						 tests[i].in);
 		test_assert_strcmp_idx(cache_key, tests[i].out, i);
 	}
+
+	test_end();
+}
+
+static enum fatal_test_state test_cache_key_missing_variable(unsigned int i)
+{
+	if (i == 0)
+		test_begin("auth cache missing variable");
+
+	/* ensure that we do not accept static string */
+	static const struct {
+		const char *in, *out;
+	} tests_bad[] = {
+		{ "%u", "auth-cache: %u: Cache key must contain at least one variable" },
+		{ "foobar", "auth-cache: foobar: Cache key must contain at least one variable" },
+		{ "%{test", "auth-cache: var_expand_program_create(%{test) " \
+			    "failed: syntax error, unexpected end of file, " \
+			    "expecting CCBRACE or PIPE" },
+	};
+
+	if (i < N_ELEMENTS(tests_bad)) {
+		test_expect_fatal_string(tests_bad[i].out);
+		(void)auth_cache_parse_key(pool_datastack_create(),
+					   tests_bad[i].in);
+		return FATAL_TEST_FAILURE;
+	}
+
 	test_end();
+	return FATAL_TEST_FINISHED;
 }
 
 int main(void)
@@ -108,7 +136,14 @@ int main(void)
 		test_auth_cache_parse_key,
 		NULL
 	};
-	int ret = test_run(test_functions);
+
+	static test_fatal_func_t *const fatal_functions[] = {
+		test_cache_key_missing_variable,
+		NULL,
+	};
+
+	int ret = test_run_with_fatals(test_functions, fatal_functions);
+
 	event_unref(&auth_event);
 	return ret;
 }