[PATCH] lib-var-expand: Reset safe state when transfer is unset

Otherwise unsafe content is treated safe.

Gbp-Pq: Name CVE-2026-27851.patch

diff --git a/src/lib-var-expand/test-var-expand.c b/src/lib-var-expand/test-var-expand.c
index 3f3327f1b347537b2a6ca964b38317e2db06f86e..3fa9c6869f8e822ce939057619f53df0fb2f138e 100644 (file)
--- a/src/lib-var-expand/test-var-expand.c
+++ b/src/lib-var-expand/test-var-expand.c
@@ -611,6 +611,7 @@ static void test_var_expand_escape(void)
                { .key = "escape", .value = "'hello' \"world\"", },
                { .key = "first", .value = "bobby" },
                { .key = "nasty", .value = "\';-- SELECT * FROM bobby.tables" },
+               { .key = "feisty", .value = "' OR '1'='1" },
                VAR_EXPAND_TABLE_END
        };
 
@@ -653,6 +654,10 @@ static void test_var_expand_escape(void)
                { .in = "%{literal(\"\\\"\\\\hello\\\\world\\\"\")}", .out = "'\"\\hello\\world\"'", .ret = 0 },
                /* Unsupported escape sequence */
                { .in = "%{literal('\\z')}", .out = "Invalid character escape", .ret = -1 },
+
+               /* safe filter */
+               { .in = "%{feisty}", "'\\' OR \\'1\\'=\\'1'", .ret = 0 },
+               { .in = "%{clean|safe} and %{feisty}", "hello world and '\\' OR \\'1\\'=\\'1'", .ret = 0 },
        };
 
        const struct var_expand_params params = {

diff --git a/src/lib-var-expand/var-expand.c b/src/lib-var-expand/var-expand.c
index b17c589d548ad8e07bdc867e5b9135b41e8ab528..1959e3a19a14a914811e08de734a5166d82ed51f 100644 (file)
--- a/src/lib-var-expand/var-expand.c
+++ b/src/lib-var-expand/var-expand.c
@@ -338,6 +338,7 @@ void var_expand_state_set_transfer(struct var_expand_state *state, const char *v
 void var_expand_state_unset_transfer(struct var_expand_state *state)
 {
        str_truncate(state->transfer, 0);
+       state->transfer_safe = FALSE;
        state->transfer_set = FALSE;
 }