From 60716f8c11ec770f40db2dc3b47286419855187d Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue, 24 Feb 2026 12:24:37 +0200
Subject: [PATCH] [PATCH 09/24] auth: passdb sql - Fix escaping for
 set_credentials()

This was only used by OTP SASL mechanism after successful authentication, so
it practically couldn't be used for SQL injections.

Broken by ef0c63b690e6ef9fbd53cb815dfab50d1667ba3a

Gbp-Pq: Name CVE-2026-24031-27860-6.patch
---
 src/auth/passdb-sql.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/auth/passdb-sql.c b/src/auth/passdb-sql.c
index f3682d4..2829160 100644
--- a/src/auth/passdb-sql.c
+++ b/src/auth/passdb-sql.c
@@ -258,8 +258,13 @@ static void sql_set_credentials(struct auth_request *request,
 
 	request->mech_password = p_strdup(request->pool, new_credentials);
 
-	if (settings_get(authdb_event(request), &passdb_sql_setting_parser_info, 0,
-			 &set, &error) < 0) {
+	const struct settings_get_params params = {
+		.escape_func = passdb_sql_escape,
+		.escape_context = module->db,
+	};
+	if (settings_get_params(authdb_event(request),
+				&passdb_sql_setting_parser_info, &params,
+				&set, &error) < 0) {
 		e_error(authdb_event(request), "%s", error);
 		callback(FALSE, request);
 		return;
-- 
2.30.2