From 957e997761a291f46a5132575626ec6af75bc0e7 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 4 Mar 2026 09:28:18 +0200
Subject: [PATCH] [PATCH 17/24] doveadm: Use datastack for temporary b64 value

There is no need to allocate it from connection pool.

Gbp-Pq: Name CVE-2026-27856-2.patch
---
 src/doveadm/client-connection-http.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/doveadm/client-connection-http.c b/src/doveadm/client-connection-http.c
index f760548..5d927d1 100644
--- a/src/doveadm/client-connection-http.c
+++ b/src/doveadm/client-connection-http.c
@@ -960,7 +960,7 @@ doveadm_http_server_auth_basic(struct client_request_http *req,
 	struct client_connection_http *conn = req->conn;
 	const struct doveadm_settings *set = conn->conn.set;
 	string_t *b64_value;
-	char *value;
+	const char *value;
 
 	if (*set->doveadm_password == '\0') {
 		e_error(conn->conn.event,
@@ -969,13 +969,11 @@ doveadm_http_server_auth_basic(struct client_request_http *req,
 		return FALSE;
 	}
 
-	b64_value = str_new(conn->conn.pool, 32);
-	value = p_strdup_printf(conn->conn.pool,
-				"doveadm:%s", set->doveadm_password);
-	base64_encode(value, strlen(value), b64_value);
+	value = t_strdup_printf("doveadm:%s", set->doveadm_password);
+	b64_value = t_base64_encode_str(0, UINT_MAX, value);
 
 	if (creds->data != NULL &&
-	    str_equals_timing_almost_safe(value, creds->data))
+	    str_equals_timing_almost_safe(str_c(b64_value), creds->data))
 		return TRUE;
 
 	e_error(conn->conn.event,
@@ -999,9 +997,7 @@ doveadm_http_server_auth_api_key(struct client_request_http *req,
 		return FALSE;
 	}
 
-	b64_value = str_new(conn->conn.pool, 32);
-	base64_encode(set->doveadm_api_key,
-		      strlen(set->doveadm_api_key), b64_value);
+	b64_value = t_base64_encode_str(0, UINT_MAX, set->doveadm_api_key);
 	if (creds->data != NULL &&
 	    str_equals_timing_almost_safe(creds->data, str_c(b64_value)))
 		return TRUE;
-- 
2.30.2