Skip to content

digest: pass in the user name quoted (as well)#20940

Closed
bagder wants to merge 3 commits intomasterfrom
bagder/digest-quote-user
Closed

digest: pass in the user name quoted (as well)#20940
bagder wants to merge 3 commits intomasterfrom
bagder/digest-quote-user

Conversation

@bagder
Copy link
Copy Markdown
Member

@bagder bagder commented Mar 16, 2026

For cases where the user puts a double quote or backspace in the user name.

Adjusted test 907 to verify

Reported-by: am-perip on hackerone

@bagder
digest: pass in the user name quoted (as well)
0041462 
For cases where the user puts a double quote or backspace in the user
name.

Adjusted test 907 to verify

Reported-by: am-perip on hackerone
@github-actions github-actions bot added the tests label Mar 16, 2026
@bagder bagder marked this pull request as ready for review March 16, 2026 15:29
@bagder bagder requested a review from Copilot March 16, 2026 15:29
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates DIGEST-MD5 SASL authentication message generation to properly quoted-string escape the username (in addition to realm/nonce), and adjusts a regression test to validate usernames containing special characters.

Changes:

  • Escape (backslash-quote) the DIGEST-MD5 username field using the existing quoted-string helper.
  • Update test907 to use/verify a username containing a double quote.
  • Update tests/data/Makefile.am test case list (currently introduces a missing test entry).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
tests/data/test907 Adjusts SMTP DIGEST-MD5 test vectors to use/verify a quoted username.
tests/data/Makefile.am Modifies the enumerated test case list (currently references a non-existent test).
lib/vauth/digest.c Escapes the DIGEST-MD5 username attribute before formatting the response string.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread tests/data/Makefile.am Outdated
Comment thread lib/vauth/digest.c Outdated
@bagder
Copy link
Copy Markdown
Member Author

bagder commented Mar 16, 2026

augment review

@augmentcode
Copy link
Copy Markdown

augmentcode bot commented Mar 16, 2026

🤖 Augment PR Summary

Summary: Ensures DIGEST-MD5 responses properly escape the username when it contains characters like " or </code>.
Changes: Adds username quoting via auth_digest_string_quoted() and updates SMTP test 907 to validate the new behavior.

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode bot reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

@augmentcode augmentcode bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

@bagder bagder closed this in 3e8df37 Mar 16, 2026
@bagder bagder deleted the bagder/digest-quote-user branch March 16, 2026 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Assignees

No one assigned

Labels

authentication tests

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bagder