From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Sun, 7 Sep 2025 15:13:06 +0000 (+0200)
Subject: lib-sasl: sasl-client-mech-oauthbearer - Prevent sending unsupported characters in... 
X-Git-Tag: 2.4.2~161
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2798dbe0eed6b06417241d205de5f60cabdc27d;p=thirdparty%2Fdovecot%2Fcore.git

lib-sasl: sasl-client-mech-oauthbearer - Prevent sending unsupported characters in response payload
---

diff --git a/src/lib-sasl/dsasl-client-mech-oauthbearer.c b/src/lib-sasl/dsasl-client-mech-oauthbearer.c
index 6b8d81f84a..e6ebfe4ebb 100644
--- a/src/lib-sasl/dsasl-client-mech-oauthbearer.c
+++ b/src/lib-sasl/dsasl-client-mech-oauthbearer.c
@@ -6,6 +6,7 @@
 #include "json-istream.h"
 #include "istream.h"
 #include "auth-gs2.h"
+#include "sasl-oauth2.h"
 #include "dsasl-client-private.h"
 
 struct oauthbearer_dsasl_client {
@@ -105,6 +106,10 @@ mech_oauthbearer_output(struct dsasl_client *_client,
 		*error_r = "password not set";
 		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
+	if (!sasl_oauth2_kvpair_check_value(_client->password)) {
+		*error_r = "password contains unsupported characters";
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
+	}
 
 	struct auth_gs2_header gs2_header = {
 		.authzid = _client->set.authid,
@@ -143,6 +148,10 @@ mech_xoauth2_output(struct dsasl_client *_client,
 		*error_r = "password not set";
 		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
 	}
+	if (strchr(_client->password, 0x01) != NULL) {
+		*error_r = "password contains unsupported characters";
+		return DSASL_CLIENT_RESULT_ERR_INTERNAL;
+	}
 
 	str = str_new(_client->pool, 64);
 
diff --git a/src/lib-sasl/sasl-oauth2.c b/src/lib-sasl/sasl-oauth2.c
index cfb4ce9915..15b6737cf6 100644
--- a/src/lib-sasl/sasl-oauth2.c
+++ b/src/lib-sasl/sasl-oauth2.c
@@ -85,3 +85,14 @@ int sasl_oauth2_kvpair_parse(const unsigned char *data, size_t size,
 	*end_r = p;
 	return 0;
 }
+
+bool sasl_oauth2_kvpair_check_value(const char *value)
+{
+	const unsigned char *p = (const unsigned char *)value;
+	const unsigned char *pend = p + strlen(value);
+
+	while (p < pend && (char_lookup[*p] & value_mask) != 0x00)
+		p++;
+
+	return (p == pend);
+}
diff --git a/src/lib-sasl/sasl-oauth2.h b/src/lib-sasl/sasl-oauth2.h
index a9640b8252..9b58e0f232 100644
--- a/src/lib-sasl/sasl-oauth2.h
+++ b/src/lib-sasl/sasl-oauth2.h
@@ -6,4 +6,6 @@ int sasl_oauth2_kvpair_parse(const unsigned char *data, size_t size,
 			     const unsigned char **end_r,
 			     const char **error_r);
 
+bool sasl_oauth2_kvpair_check_value(const char *value);
+
 #endif
diff --git a/src/lib-sasl/test-sasl-oauth2.c b/src/lib-sasl/test-sasl-oauth2.c
index 1bf43a52fc..c142e400ef 100644
--- a/src/lib-sasl/test-sasl-oauth2.c
+++ b/src/lib-sasl/test-sasl-oauth2.c
@@ -155,6 +155,8 @@ test_kvpair_valid_next(const unsigned char **in, const unsigned char *in_end,
 
 	test_assert_strcmp(key, test->key);
 	test_assert_strcmp(value, test->value);
+
+	test_assert(sasl_oauth2_kvpair_check_value(value));
 }
 
 static void test_kvpair_valid(void)