From 6723707404c72285565457b58c62afc6f1a9d36a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 25 Oct 2024 15:23:09 +0100 Subject: [PATCH] Do not permit change-of-separator for pam/radius expansion conditions --- src/src/auths/call_pwcheck.c | 5 ++--- src/src/auths/cyrus_sasl.c | 8 ++++---- src/src/miscmods/pam.c | 6 +++--- src/src/miscmods/radius.c | 2 +- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/src/src/auths/call_pwcheck.c b/src/src/auths/call_pwcheck.c index 88f708f62..5903d696e 100644 --- a/src/src/auths/call_pwcheck.c +++ b/src/src/auths/call_pwcheck.c @@ -37,10 +37,9 @@ Returns: OK if authentication succeeded int auth_call_pwcheck(uschar *s, uschar **errptr) { -uschar *reply = NULL; -uschar *pw = Ustrrchr(s, ':'); +uschar * reply = NULL, * pw = Ustrrchr(s, ':'); -if (pw == NULL) +if (!pw) { *errptr = US"pwcheck: malformed input - missing colon"; return ERROR; diff --git a/src/src/auths/cyrus_sasl.c b/src/src/auths/cyrus_sasl.c index ed0995637..3b16ebcc9 100644 --- a/src/src/auths/cyrus_sasl.c +++ b/src/src/auths/cyrus_sasl.c @@ -111,7 +111,7 @@ auth_cyrus_sasl_init(driver_instance * a) auth_instance * ablock = (auth_instance *)a; auth_cyrus_sasl_options_block * ob = a->options_block; const uschar *list, *listptr, *buffer; -int rc, i; +int rc, sep; unsigned int len; rmark rs_point; uschar *expanded_hostname; @@ -153,11 +153,11 @@ if ((rc = sasl_server_new(CS ob->server_service, CS expanded_hostname, log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " "couldn't initialise Cyrus SASL server connection.", a->name); -if ((rc = sasl_listmech(conn, NULL, "", ":", "", CCSS &list, &len, &i)) != SASL_OK) +if ((rc = sasl_listmech(conn, NULL, "", ":", "", CCSS &list, &len, NULL)) != SASL_OK) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s authenticator: " "couldn't get Cyrus SASL mechanism list.", a->name); -i = ':'; +sep = ':'; listptr = list; HDEBUG(D_auth) @@ -176,7 +176,7 @@ rs_point = store_mark(); /* loop until either we get to the end of the list, or we match the public name of this authenticator */ -while ( (buffer = string_nextinlist(&listptr, &i, NULL, 0)) +while ( (buffer = string_nextinlist(&listptr, &sep, NULL, 0)) && strcmpic(buffer,ob->server_mech) ); if (!buffer) diff --git a/src/src/miscmods/pam.c b/src/src/miscmods/pam.c index 1c94cc29f..1d391593a 100644 --- a/src/src/miscmods/pam.c +++ b/src/src/miscmods/pam.c @@ -120,7 +120,7 @@ return PAM_SUCCESS; more data strings. Arguments: - s a colon-separated list of strings + s a (not-changeable-colon)-separated list of strings errptr where to point an error message Returns: OK if authentication succeeded @@ -129,12 +129,12 @@ Returns: OK if authentication succeeded */ static int -auth_call_pam(const uschar *s, uschar **errptr) +auth_call_pam(const uschar * s, uschar ** errptr) { pam_handle_t *pamh = NULL; struct pam_conv pamc; int pam_error; -int sep = 0; +int sep = ':'; /* Do not permit change-of-separator */ uschar *user; /* Set up the input data structure: the address of the conversation function, diff --git a/src/src/miscmods/radius.c b/src/src/miscmods/radius.c index b52c06ec1..8e784438b 100644 --- a/src/src/miscmods/radius.c +++ b/src/src/miscmods/radius.c @@ -73,7 +73,7 @@ auth_call_radius(const uschar *s, uschar **errptr) uschar *user; const uschar *radius_args = s; int result; -int sep = 0; +int sep = ':'; #ifdef RADIUS_LIB_RADLIB struct rad_handle *h; -- 2.30.2