From 00dc9c789596e5c322e8951161a1ba7811218428 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 20 Feb 2026 18:37:38 +0200 Subject: [PATCH] [PATCH 05/24] auth: passdb/userdb ldap - Fix escaping ldap filter, base and bind_userdn Broken by c2ccdab8d09dec65753ee42366f48d53d7f47cfd Gbp-Pq: Name CVE-2026-24031-27860-2.patch --- src/auth/passdb-ldap.c | 23 +++++++++++++++++------ src/auth/userdb-ldap.c | 23 +++++++++++++++++------ 2 files changed, 34 insertions(+), 12 deletions(-) diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c index 34ebc00..7bec50c 100644 --- a/src/auth/passdb-ldap.c +++ b/src/auth/passdb-ldap.c @@ -376,9 +376,12 @@ ldap_verify_plain(struct auth_request *request, return; } + const struct settings_get_params params = { + .escape_func = ldap_escape, + }; const struct ldap_pre_settings *ldap_pre = NULL; - if (settings_get(event, &ldap_pre_setting_parser_info, 0, - &ldap_pre, &error) < 0 || + if (settings_get_params(event, &ldap_pre_setting_parser_info, + ¶ms, &ldap_pre, &error) < 0 || ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB, &error) < 0) { e_error(event, "%s", error); @@ -414,10 +417,13 @@ static void ldap_lookup_credentials(struct auth_request *request, auth_request_ref(request); ldap_request->request.ldap.auth_request = request; + const struct settings_get_params params = { + .escape_func = ldap_escape, + }; const char *error; const struct ldap_pre_settings *ldap_pre = NULL; - if (settings_get(event, &ldap_pre_setting_parser_info, 0, - &ldap_pre, &error) < 0 || + if (settings_get_params(event, &ldap_pre_setting_parser_info, ¶ms, + &ldap_pre, &error) < 0 || ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_PASSDB, &error) < 0) { e_error(event, "%s", error); @@ -446,8 +452,13 @@ static int passdb_ldap_preinit(pool_t pool, struct event *event, if (settings_get(event, &auth_passdb_post_setting_parser_info, RAW_SETTINGS, &auth_post, error_r) < 0) goto failed; - if (settings_get(event, &ldap_pre_setting_parser_info, - RAW_SETTINGS, &ldap_pre, error_r) < 0) + + const struct settings_get_params params = { + .escape_func = ldap_escape, + .flags = RAW_SETTINGS, + }; + if (settings_get_params(event, &ldap_pre_setting_parser_info, + ¶ms, &ldap_pre, error_r) < 0) goto failed; module = p_new(pool, struct ldap_passdb_module, 1); diff --git a/src/auth/userdb-ldap.c b/src/auth/userdb-ldap.c index 664e95a..18968c1 100644 --- a/src/auth/userdb-ldap.c +++ b/src/auth/userdb-ldap.c @@ -122,9 +122,12 @@ static void userdb_ldap_lookup(struct auth_request *auth_request, struct userdb_ldap_request *request; const char *error; + const struct settings_get_params params = { + .escape_func = ldap_escape, + }; const struct ldap_pre_settings *ldap_pre = NULL; - if (settings_get(event, &ldap_pre_setting_parser_info, 0, - &ldap_pre, &error) < 0 || + if (settings_get_params(event, &ldap_pre_setting_parser_info, ¶ms, + &ldap_pre, &error) < 0 || ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_USERDB, &error) < 0) { e_error(event, "%s", error); @@ -258,9 +261,12 @@ userdb_ldap_iterate_init(struct auth_request *auth_request, request = &ctx->request; request->ctx = ctx; + const struct settings_get_params params = { + .escape_func = ldap_escape, + }; const struct ldap_pre_settings *ldap_pre = NULL; - if (settings_get(event, &ldap_pre_setting_parser_info, 0, - &ldap_pre, &error) < 0 || + if (settings_get_params(event, &ldap_pre_setting_parser_info, ¶ms, + &ldap_pre, &error) < 0 || ldap_pre_settings_post_check(ldap_pre, DB_LDAP_LOOKUP_TYPE_ITERATE, &error) < 0) { e_error(event, "%s", error); @@ -331,8 +337,13 @@ static int userdb_ldap_preinit(pool_t pool, struct event *event, if (settings_get(event, &ldap_post_setting_parser_info, RAW_SETTINGS, &ldap_post, error_r) < 0) goto failed; - if (settings_get(event, &ldap_pre_setting_parser_info, - RAW_SETTINGS, &ldap_pre, error_r) < 0) + + const struct settings_get_params params = { + .escape_func = ldap_escape, + .flags = RAW_SETTINGS, + }; + if (settings_get_params(event, &ldap_pre_setting_parser_info, + ¶ms, &ldap_pre, error_r) < 0) goto failed; module = p_new(pool, struct ldap_userdb_module, 1); -- 2.30.2