From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Sat, 10 Apr 2021 14:54:45 +0000 (+0300)
Subject: lib-oauth2: Move identifier escaping to own function
X-Git-Tag: 2.3.16~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1db66e39500672bc167d5e4e2e7232b8f7d87c05;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Move identifier escaping to own function
---

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 09d3970743..da7db2dc5d 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -52,6 +52,38 @@ static int get_time_field(const struct json_tree *tree, const char *key,
 	return -1;
 }
 
+/* Escapes '.', '/' and '%' in identifier to %hex */
+static const char *escape_identifier(const char *identifier)
+{
+	size_t pos = strcspn(identifier, "./%");
+	if (pos < strlen(identifier)) {
+		/* sanitize identifier, cannot allow dots or / in it, so we
+		  encode them */
+		string_t *new_id = t_str_new(strlen(identifier));
+		/* put initial data */
+		str_append_data(new_id, identifier, pos);
+
+		for (const char *c = identifier+pos; *c != '\0'; c++) {
+			switch (*c) {
+			case '.':
+				str_append(new_id, "%2e");
+				break;
+			case '/':
+				str_append(new_id, "%2f");
+				break;
+			case '%':
+				str_append(new_id, "%25");
+				break;
+			default:
+				str_append_c(new_id, *c);
+				break;
+			}
+		}
+		return str_c(new_id);
+	}
+	return identifier;
+}
+
 static int
 oauth2_lookup_hmac_key(const struct oauth2_settings *set, const char *azp,
 		       const char *alg, const char *key_id,
@@ -436,32 +468,8 @@ int oauth2_try_parse_jwt(const struct oauth2_settings *set,
 	else if (*kid == '\0') {
 		*error_r = "'kid' field is empty";
 		return -1;
-	}
-
-	size_t pos = strcspn(kid, "./%");
-	if (pos < strlen(kid)) {
-		/* sanitize kid, cannot allow dots or / in it, so we encode them
-		 */
-		string_t *new_kid = t_str_new(strlen(kid));
-		/* put initial data */
-		str_append_data(new_kid, kid, pos);
-		for (const char *c = kid+pos; *c != '\0'; c++) {
-			switch (*c) {
-			case '.':
-				str_append(new_kid, "%2e");
-				break;
-			case '/':
-				str_append(new_kid, "%2f");
-				break;
-			case '%':
-				str_append(new_kid, "%25");
-				break;
-			default:
-				str_append_c(new_kid, *c);
-				break;
-			}
-		}
-		kid = str_c(new_kid);
+	} else {
+		kid = escape_identifier(kid);
 	}
 
 	/* parse body */