From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Thu, 19 Nov 2020 17:55:42 +0000 (+0200)
Subject: lib-oauth2: Ensure azp is escaped too
X-Git-Tag: 2.3.14.1~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bae4e44596d6548322665d242b055f44fe1dc58d;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Ensure azp is escaped too
---

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 2d46273814..b12cd13875 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -408,6 +408,8 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
 	const char *azp = get_field(tree, "azp");
 	if (azp == NULL)
 		azp = "default";
+	else
+		azp = escape_identifier(azp);
 
 	if (oauth2_validate_signature(set, azp, alg, kid, blobs, error_r) < 0)
 		return -1;
diff --git a/src/lib-oauth2/test-oauth2-jwt.c b/src/lib-oauth2/test-oauth2-jwt.c
index 15e8721191..9b0c269e6e 100644
--- a/src/lib-oauth2/test-oauth2-jwt.c
+++ b/src/lib-oauth2/test-oauth2-jwt.c
@@ -227,13 +227,15 @@ create_jwt_token_fields_kid(const char *algo, const char *kid, time_t exp, time_
 }
 
 #define save_key(algo, key) save_key_to(algo, "default", (key))
-static void save_key_to(const char *algo, const char *name, const char *keydata)
+#define save_key_to(algo, name, key) save_key_azp_to(algo, "default", name, (key))
+static void save_key_azp_to(const char *algo, const char *azp,
+			    const char *name, const char *keydata)
 {
 	const char *error;
 	struct dict_transaction_context *ctx =
 		dict_transaction_begin(keys_dict);
 	algo = t_str_ucase(algo);
-	dict_set(ctx, t_strconcat(DICT_PATH_SHARED, "default/", algo, "/",
+	dict_set(ctx, t_strconcat(DICT_PATH_SHARED, azp, "/", algo, "/",
 				  name, NULL),
 		 keydata);
 	if (dict_transaction_commit(&ctx, &error) < 0)
@@ -308,18 +310,23 @@ static void test_jwt_hs_token(void)
 static void test_jwt_token_escape(void)
 {
 	struct test_case {
+		const char *azp;
 		const char *alg;
 		const char *kid;
+		const char *esc_azp;
 		const char *esc_kid;
 	} test_cases[] = {
-		{ "hs256", "", "default" },
-		{ "hs256", "test", "test" },
+		{ "", "hs256", "", "default", "default" },
+		{ "", "hs256", "test", "default", "test" },
+		{ "test", "hs256", "test", "test", "test" },
 		{
+			"http://test.unit/local%key",
 			"hs256",
 			"http://test.unit/local%key",
 			"http:%2f%2ftest%2eunit%2flocal%25key",
+			"http:%2f%2ftest%2eunit%2flocal%25key"
 		},
-		{ "hs256", "../", "%2e%2e%2f" },
+		{ "../", "hs256", "../", "%2e%2e%2f", "%2e%2e%2f" },
 	};
 	buffer_t *b64_key =
 		t_base64_encode(0, SIZE_MAX, hs_sign_key->data, hs_sign_key->used);
@@ -332,13 +339,18 @@ static void test_jwt_token_escape(void)
 		struct oauth2_field *field = array_append_space(&fields);
 		field->name = "sub";
 		field->value = "testuser";
+		if (*test_case->azp != '\0') {
+			field = array_append_space(&fields);
+			field->name = "azp";
+			field->value = test_case->azp;
+		}
 		if (*test_case->kid != '\0') {
 			field = array_append_space(&fields);
 			field->name = "kid";
 			field->value = test_case->kid;
 		}
-		save_key_to(test_case->alg, test_case->esc_kid,
-			    str_c(b64_key));
+		save_key_azp_to(test_case->alg, test_case->esc_azp, test_case->esc_kid,
+				str_c(b64_key));
 		buffer_t *token = create_jwt_token_fields_kid(test_case->alg,
 							      test_case->kid,
 							      time(NULL)+500,