]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3edbefb)
auth: Escape exported session ID string in protocol replies
authorTimo Sirainen <timo.sirainen@open-xchange.com>
Thu, 6 Aug 2020 11:10:50 +0000 (14:10 +0300)
committeraki.tuomi <aki.tuomi@open-xchange.com>
Thu, 27 Aug 2020 06:20:18 +0000 (06:20 +0000)
Session ID is normally coming only from trusted sources, so the lack of
escaping shouldn't have mattered too much.

src/auth/auth-request-fields.c patch | blob | blame | history

diff --git a/src/auth/auth-request-fields.c b/src/auth/auth-request-fields.c
index a35347b10ebf1acfc6faaf4cf4e666cb8c4b2c8c..182a40ce743b2696faa496b55a8212dc95077f25 100644 (file)
--- a/src/auth/auth-request-fields.c
+++ b/src/auth/auth-request-fields.c
@@ -94,8 +94,10 @@ void auth_request_export(struct auth_request *request, string_t *dest)
                str_append(dest, "\tlocal_name=");
                str_append_tabescaped(dest, fields->local_name);
        }
-       if (fields->session_id != NULL)
-               str_printfa(dest, "\tsession=%s", fields->session_id);
+       if (fields->session_id != NULL) {
+               str_append(dest, "\tsession=");
+               str_append_tabescaped(dest, fields->session_id);
+       }
        if (event_want_debug(request->event))
                str_append(dest, "\tdebug");
        switch (fields->secured) {
Mirror of https://github.com/dovecot/core.git