doveadm/client-connection-http: Validate request boolean values

author Karl Fleischmann <karl.fleischmann@open-xchange.com>

Thu, 24 Nov 2022 15:33:27 +0000 (16:33 +0100)

committer aki.tuomi <aki.tuomi@open-xchange.com>

Fri, 2 Dec 2022 10:17:55 +0000 (10:17 +0000)
author Karl Fleischmann <karl.fleischmann@open-xchange.com>
Thu, 24 Nov 2022 15:33:27 +0000 (16:33 +0100)
committer aki.tuomi <aki.tuomi@open-xchange.com>
Fri, 2 Dec 2022 10:17:55 +0000 (10:17 +0000)
diff --git a/src/doveadm/client-connection-http.c b/src/doveadm/client-connection-http.c

index 06e93be5988f9a8533229e3f51403916b6c5e9f8..ba00c014ef7d4579bbcfa91a133f670e394ba0ee 100644 (file)
--- a/src/doveadm/client-connection-http.c
+++ b/src/doveadm/client-connection-http.c
@@ -513,7 +513,17 @@ request_json_parse_param_value(struct client_request_http *req)
         req->cmd_param->value_set = TRUE;
         switch(req->cmd_param->type) {
         case CMD_PARAM_BOOL:
-               req->cmd_param->value.v_bool = (strcmp(value, "true") == 0);
+               if (strcmp(value, "true") == 0) {
+                       req->cmd_param->value.v_bool = TRUE;
+               } else if (strcmp(value, "false") == 0) {
+                       req->cmd_param->value.v_bool = FALSE;
+               } else {
+                       http_server_request_fail_text(http_sreq,
+                               400, "Bad Request",
+                               "Parameter `%s' must be `true' or `false', not `%s'",
+                               req->cmd_param->name, value);
+                       return -1;
+               }
                 break;
         case CMD_PARAM_INT64:
                 if (str_to_int64(value, &req->cmd_param->value.v_int64) != 0) {
author	Karl Fleischmann <karl.fleischmann@open-xchange.com>
	Thu, 24 Nov 2022 15:33:27 +0000 (16:33 +0100)
committer	aki.tuomi <aki.tuomi@open-xchange.com>
	Fri, 2 Dec 2022 10:17:55 +0000 (10:17 +0000)