cyrus-imapd/cyrus-imapd-CVE-2019-18928.patch

31 lines
930 B
Diff
Raw Permalink Normal View History

diff --git a/imap/httpd.c b/imap/httpd.c
index 5dcf38dc4..d2fdeb945 100644
--- a/imap/httpd.c
+++ b/imap/httpd.c
@@ -1729,6 +1729,25 @@ static int examine_request(struct transaction_t *txn)
txn->auth_chal.scheme = NULL;
}
+ /* Drop auth credentials, if not a backend in a Murder */
+ else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) {
+ syslog(LOG_DEBUG, "drop auth creds");
+
+ free(httpd_userid);
+ httpd_userid = NULL;
+
+ free(httpd_extrafolder);
+ httpd_extrafolder = NULL;
+
+ free(httpd_extradomain);
+ httpd_extradomain = NULL;
+
+ if (httpd_authstate) {
+ auth_freestate(httpd_authstate);
+ httpd_authstate = NULL;
+ }
+ }
+
/* Perform proxy authorization, if necessary */
else if (saslprops.authid &&
(hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) &&