From fe55a13457f0d9bc21ce65c0525eb4fdb92b88f1 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Wed, 11 Mar 2026 12:46:53 +0200
Subject: [PATCH] [PATCH 24/24] auth: passdb-sql - Require update_query to be
 set when used

Gbp-Pq: Name CVE-2026-27855-4.patch
---
 src/auth/passdb-sql.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/auth/passdb-sql.c b/src/auth/passdb-sql.c
index 2829160..ec160e3 100644
--- a/src/auth/passdb-sql.c
+++ b/src/auth/passdb-sql.c
@@ -270,6 +270,12 @@ static void sql_set_credentials(struct auth_request *request,
 		return;
 	}
 
+	if (*set->update_query == '\0') {
+		e_error(authdb_event(request), "passdb_sql_update_query is empty");
+		callback(FALSE, request);
+		return;
+	}
+
 	sql_request = i_new(struct passdb_sql_request, 1);
 	sql_request->auth_request = request;
 	sql_request->callback.set_credentials = callback;
-- 
2.30.2