projects / dovecot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8fa7e68)
[PATCH 09/24] auth: passdb sql - Fix escaping for set_credentials()
authorTimo Sirainen <timo.sirainen@open-xchange.com>
Tue, 24 Feb 2026 10:24:37 +0000 (12:24 +0200)
committerNoah Meyerhans <noahm@debian.org>
Tue, 31 Mar 2026 19:07:17 +0000 (15:07 -0400)
This was only used by OTP SASL mechanism after successful authentication, so
it practically couldn't be used for SQL injections.

Broken by ef0c63b690e6ef9fbd53cb815dfab50d1667ba3a

Gbp-Pq: Name CVE-2026-24031-27860-6.patch

src/auth/passdb-sql.c patch | blob | history

diff --git a/src/auth/passdb-sql.c b/src/auth/passdb-sql.c
index f3682d4926871ec3c2d144d7ae4ca3a7efaab699..28291606eada8407788d546036ce17860fbba70a 100644 (file)
--- a/src/auth/passdb-sql.c
+++ b/src/auth/passdb-sql.c
@@ -258,8 +258,13 @@ static void sql_set_credentials(struct auth_request *request,
 
        request->mech_password = p_strdup(request->pool, new_credentials);
 
-       if (settings_get(authdb_event(request), &passdb_sql_setting_parser_info, 0,
-                        &set, &error) < 0) {
+       const struct settings_get_params params = {
+               .escape_func = passdb_sql_escape,
+               .escape_context = module->db,
+       };
+       if (settings_get_params(authdb_event(request),
+                               &passdb_sql_setting_parser_info, &params,
+                               &set, &error) < 0) {
                e_error(authdb_event(request), "%s", error);
                callback(FALSE, request);
                return;
Unnamed repository; edit this file 'description' to name the repository.