From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Wed, 14 Dec 2016 17:03:02 +0000 (+0200)
Subject: auth: Don't log errors when cache_key expansion finds unknown %variables
X-Git-Tag: 2.3.0.rc1~2429
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c77606aef2dadad72e1a97f6d820dadb05d1d44;p=thirdparty%2Fdovecot%2Fcore.git

auth: Don't log errors when cache_key expansion finds unknown %variables
---

diff --git a/src/auth/auth-cache.c b/src/auth/auth-cache.c
index eaad8b1105..c47808ff6d 100644
--- a/src/auth/auth-cache.c
+++ b/src/auth/auth-cache.c
@@ -349,8 +349,15 @@ auth_request_expand_cache_key(const struct auth_request *request,
 			  request->master_user == NULL ? "" : "+%{master_user}",
 			  "\t", key, NULL);
 
+	/* It's fine to have unknown %variables in the cache key.
+	   For example db-ldap can have pass_attrs containing
+	   %{ldap:fields} which are used for output, not as part of
+	   the input needed for cache_key. Those could in theory be
+	   filtered out early in the cache_key, but that gets more
+	   problematic when it needs to support also filtering out
+	   e.g. %{sha256:ldap:fields}. */
 	if (t_auth_request_var_expand(key, request, auth_cache_escape,
-				      &value, &error) <= 0 && !error_logged) {
+				      &value, &error) < 0 && !error_logged) {
 		error_logged = TRUE;
 		i_error("Failed to expand auth cache key %s: %s", key, error);
 	}