Package: dovecot / 1:2.3.21.1+dfsg1-1~bpo12+1

auth-Fix-handling-passdbs-with-identical-driver-args-but-.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Mon, 9 May 2022 15:23:33 +0300
Subject: auth: Fix handling passdbs with identical driver/args but different
 mechanisms/username_filter

The passdb was wrongly deduplicated in this situation, causing wrong
mechanisms or username_filter setting to be used. This would be a rather
unlikely configuration though.

Fixed by moving mechanisms and username_filter from struct passdb_module
to struct auth_passdb, which is where they should have been in the first
place.
---
 src/auth/auth-request.c |  6 +++---
 src/auth/auth.c         | 18 ++++++++++++++++++
 src/auth/auth.h         |  5 +++++
 src/auth/passdb.c       | 15 ++-------------
 src/auth/passdb.h       |  4 ----
 5 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/src/auth/auth-request.c b/src/auth/auth-request.c
index ee89e75..cd44cd4 100644
--- a/src/auth/auth-request.c
+++ b/src/auth/auth-request.c
@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct auth_request *request,
 			      struct auth_passdb *passdb)
 {
 	/* if mechanism is not supported, skip */
-	const char *const *mechs = passdb->passdb->mechanisms;
-	const char *const *username_filter = passdb->passdb->username_filter;
+	const char *const *mechs = passdb->mechanisms;
+	const char *const *username_filter = passdb->username_filter;
 	const char *username;
 
 	username = request->fields.user;
@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct auth_request *request,
 		return TRUE;
 	}
 
-	if (passdb->passdb->username_filter != NULL &&
+	if (passdb->username_filter != NULL &&
 	    !auth_request_username_accepted(username_filter, username)) {
 		auth_request_log_debug(request,
 				       request->mech != NULL ? AUTH_SUBSYS_MECH
diff --git a/src/auth/auth.c b/src/auth/auth.c
index 845c43c..a5a4c81 100644
--- a/src/auth/auth.c
+++ b/src/auth/auth.c
@@ -93,6 +93,24 @@ auth_passdb_preinit(struct auth *auth, const struct auth_passdb_settings *set,
 	auth_passdb->override_fields_tmpl =
 		passdb_template_build(auth->pool, set->override_fields);
 
+	if (*set->mechanisms == '\0') {
+		auth_passdb->mechanisms = NULL;
+	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+		auth_passdb->mechanisms = (const char *const[]){ NULL };
+	} else {
+		auth_passdb->mechanisms =
+			(const char *const *)p_strsplit_spaces(auth->pool,
+				set->mechanisms, " ,");
+	}
+
+	if (*set->username_filter == '\0') {
+		auth_passdb->username_filter = NULL;
+	} else {
+		auth_passdb->username_filter =
+			(const char *const *)p_strsplit_spaces(auth->pool,
+				set->username_filter, " ,");
+	}
+
 	/* for backwards compatibility: */
 	if (set->pass)
 		auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
diff --git a/src/auth/auth.h b/src/auth/auth.h
index 3ca5a9b..6208e4d 100644
--- a/src/auth/auth.h
+++ b/src/auth/auth.h
@@ -41,6 +41,11 @@ struct auth_passdb {
 	struct passdb_template *default_fields_tmpl;
 	struct passdb_template *override_fields_tmpl;
 
+	/* Supported authentication mechanisms, NULL is all, {NULL} is none */
+	const char *const *mechanisms;
+	/* Username filter, NULL is no filter */
+	const char *const *username_filter;
+
 	enum auth_passdb_skip skip;
 	enum auth_db_rule result_success;
 	enum auth_db_rule result_failure;
diff --git a/src/auth/passdb.c b/src/auth/passdb.c
index 9bc2b87..d3c61cc 100644
--- a/src/auth/passdb.c
+++ b/src/auth/passdb.c
@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct auth_passdb_settings *set)
 	passdb->id = ++auth_passdb_id;
 	passdb->iface = *iface;
 	passdb->args = p_strdup(pool, set->args);
-	if (*set->mechanisms == '\0') {
-		passdb->mechanisms = NULL;
-	} else if (strcasecmp(set->mechanisms, "none") == 0) {
-		passdb->mechanisms = (const char *const[]){NULL};
-	} else {
-		passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
-	}
-
-	if (*set->username_filter == '\0') {
-		passdb->username_filter = NULL;
-	} else {
-		passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
-	}
+	/* NOTE: if anything else than driver & args are added here,
+	   passdb_find() also needs to be updated. */
 	array_push_back(&passdb_modules, &passdb);
 	return passdb;
 }
diff --git a/src/auth/passdb.h b/src/auth/passdb.h
index b405aa7..8f50050 100644
--- a/src/auth/passdb.h
+++ b/src/auth/passdb.h
@@ -63,10 +63,6 @@ struct passdb_module {
 	/* Default password scheme for this module.
 	   If default_cache_key is set, must not be NULL. */
 	const char *default_pass_scheme;
-	/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
-	const char *const *mechanisms;
-	/* Username filter, NULL is no filter */
-	const char *const *username_filter;
 
 	/* If blocking is set to TRUE, use child processes to access
 	   this passdb. */