From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 8 May 2020 10:08:42 +0000 (+0300)
Subject: auth: oauth2 - Set username after parsing
X-Git-Tag: 2.3.11.2~110
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5228ab6d68616e4fe317da4b9b2cd063c0b9ce2f;p=thirdparty%2Fdovecot%2Fcore.git

auth: oauth2 - Set username after parsing

Otherwise we might mistakenly set username despite the
token being malformed.
---

diff --git a/src/auth/mech-oauth2.c b/src/auth/mech-oauth2.c
index 52eb1007ed..3e652ecbd1 100644
--- a/src/auth/mech-oauth2.c
+++ b/src/auth/mech-oauth2.c
@@ -101,19 +101,14 @@ mech_xoauth2_auth_continue(struct auth_request *request,
 	const char *error;
 	const char *token = NULL;
 	const char *const *ptr;
+	const char *username;
 	const char *const *fields =
 		t_strsplit(t_strndup(data, data_size), "\x01");
 	for(ptr = fields; *ptr != NULL; ptr++) {
 		if (str_begins(*ptr, "user=")) {
 			/* xoauth2 does not require unescaping because the data
 			   format does not contain anything to escape */
-			const char *username = (*ptr)+5;
-			if (!auth_request_set_username(request, username, &error)) {
-				e_info(request->mech_event,
-				       "%s", error);
-				auth_request_fail(request);
-				return;
-			}
+			username = (*ptr)+5;
 			user_given = TRUE;
 		} else if (str_begins(*ptr, "auth=")) {
 			const char *value = (*ptr)+5;
@@ -130,6 +125,13 @@ mech_xoauth2_auth_continue(struct auth_request *request,
 		/* do not fail on unexpected fields */
 	}
 
+	if (user_given && !auth_request_set_username(request, username, &error)) {
+		e_info(request->mech_event,
+		       "%s", error);
+		auth_request_fail(request);
+		return;
+	}
+
 	if (user_given && token != NULL)
 		auth_request_verify_plain(request, token,
 					  xoauth2_verify_callback);
@@ -196,9 +198,6 @@ mech_oauthbearer_auth_continue(struct auth_request *request,
 					"Invalid username escaping");
 				 auth_request_fail(request);
 				 return;
-			} else if (!auth_request_set_username(request, username, &error)) {
-				e_info(request->mech_event,
-				       "%s", error);
 			} else {
 				user_given = TRUE;
 			}
@@ -226,6 +225,12 @@ mech_oauthbearer_auth_continue(struct auth_request *request,
 		}
 		/* do not fail on unexpected fields */
 	}
+	if (user_given && !auth_request_set_username(request, username, &error)) {
+		e_info(request->mech_event,
+		       "%s", error);
+		auth_request_fail(request);
+		return;
+	}
 	if (user_given && token != NULL)
 		auth_request_verify_plain(request, token,
 					  oauthbearer_verify_callback);