From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Sun, 29 Mar 2026 16:33:45 +0000 (+0300)
Subject: [PATCH] lib-var-expand: Reset safe state when transfer is unset
X-Git-Tag: archive/raspbian/1%2.4.1+dfsg1-6+rpi1+deb13u6^2~7
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=64c2b60ad3b3040528e1775d1e21f4f4daba0759;p=dovecot.git

[PATCH] lib-var-expand: Reset safe state when transfer is unset

Otherwise unsafe content is treated safe.

Gbp-Pq: Name CVE-2026-27851.patch
---

diff --git a/src/lib-var-expand/test-var-expand.c b/src/lib-var-expand/test-var-expand.c
index 3f3327f..3fa9c68 100644
--- a/src/lib-var-expand/test-var-expand.c
+++ b/src/lib-var-expand/test-var-expand.c
@@ -611,6 +611,7 @@ static void test_var_expand_escape(void)
 		{ .key = "escape", .value = "'hello' \"world\"", },
 		{ .key = "first", .value = "bobby" },
 		{ .key = "nasty", .value = "\';-- SELECT * FROM bobby.tables" },
+		{ .key = "feisty", .value = "' OR '1'='1" },
 		VAR_EXPAND_TABLE_END
 	};
 
@@ -653,6 +654,10 @@ static void test_var_expand_escape(void)
 		{ .in = "%{literal(\"\\\"\\\\hello\\\\world\\\"\")}", .out = "'\"\\hello\\world\"'", .ret = 0 },
 		/* Unsupported escape sequence */
 		{ .in = "%{literal('\\z')}", .out = "Invalid character escape", .ret = -1 },
+
+		/* safe filter */
+		{ .in = "%{feisty}", "'\\' OR \\'1\\'=\\'1'", .ret = 0 },
+		{ .in = "%{clean|safe} and %{feisty}", "hello world and '\\' OR \\'1\\'=\\'1'", .ret = 0 },
 	};
 
 	const struct var_expand_params params = {
diff --git a/src/lib-var-expand/var-expand.c b/src/lib-var-expand/var-expand.c
index b17c589..1959e3a 100644
--- a/src/lib-var-expand/var-expand.c
+++ b/src/lib-var-expand/var-expand.c
@@ -338,6 +338,7 @@ void var_expand_state_set_transfer(struct var_expand_state *state, const char *v
 void var_expand_state_unset_transfer(struct var_expand_state *state)
 {
 	str_truncate(state->transfer, 0);
+	state->transfer_safe = FALSE;
 	state->transfer_set = FALSE;
 }