imap-login: Allow x-forward- to specify forward fields from trusted n…

…etworks
dovecot · Mar 19, 2017 · 998eadc · 998eadc
1 parent 53f9780
commit 998eadc
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/src/imap-login/imap-login-client.c b/src/imap-login/imap-login-client.c
@@ -200,6 +200,17 @@ client_update_info(struct imap_client *client,
 			client->common.session_id =
 				p_strdup(client->common.pool, value);
 		}
+	} else if (strncasecmp(key, "x-forward-", 10) == 0) {
+		/* handle extra field */
+		if (client->common.forward_fields == NULL)
+			client->common.forward_fields = str_new(client->common.preproxy_pool, 32);
+		else
+			str_append_c(client->common.forward_fields, '\t');
+		/* prefixing is done by auth process */
+		str_append_tabescaped(client->common.forward_fields,
+				      key+10);
+		str_append_c(client->common.forward_fields, '=');
+		str_append_tabescaped(client->common.forward_fields, value);
 	} else {
 		return FALSE;
 	}
@@ -209,7 +220,8 @@ client_update_info(struct imap_client *client,
 static bool client_id_reserved_word(const char *key)
 {
 	i_assert(key != NULL);
-	return str_array_icase_find(imap_login_reserved_id_keys, key);
+	return (strncasecmp(key, "x-forward-", 10) == 0 ||
+		str_array_icase_find(imap_login_reserved_id_keys, key));
 }
 
 static void cmd_id_handle_keyvalue(struct imap_client *client,

diff --git a/src/imap-login/imap-proxy.c b/src/imap-login/imap-proxy.c
@@ -40,13 +40,30 @@ static void proxy_write_id(struct imap_client *client, string_t *str)
 		    "\"x-originating-port\" \"%u\" "
 		    "\"x-connected-ip\" \"%s\" "
 		    "\"x-connected-port\" \"%u\" "
-		    "\"x-proxy-ttl\" \"%u\")\r\n",
+		    "\"x-proxy-ttl\" \"%u\"",
 		    client_get_session_id(&client->common),
 		    net_ip2addr(&client->common.ip),
 		    client->common.remote_port,
 		    net_ip2addr(&client->common.local_ip),
 		    client->common.local_port,
 		    client->common.proxy_ttl - 1);
+
+	/* append any forward_ variables to request */
+	for(const char *const *ptr = client->common.auth_passdb_args; *ptr != NULL; ptr++) {
+		if (strncasecmp(*ptr, "forward_", 8) == 0) {
+			str_append_c(str, ' ');
+			const char *key = t_strconcat("x-forward-",
+						      t_strcut((*ptr)+8, '='),
+						      NULL);
+			const char *val = i_strchr_to_next(*ptr, '=');
+			str_append_c(str, ' ');
+			imap_append_string(str, key);
+			str_append_c(str, ' ');
+			imap_append_nstring(str, val);
+		}
+	}
+
+	str_append(str, ")\r\n");
 }
 
 static void proxy_free_password(struct client *client)

diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
@@ -213,6 +213,8 @@ static void client_auth_parse_args(struct client *client, bool success,
 				alt_username_set(&alt_usernames, client->pool,
 						 key, value);
 			}
+		} else if (strncmp(key, "forward_", 8) == 0) {
+			/* these are passed to upstream */
 		} else if (client->set->auth_debug)
 			i_debug("Ignoring unknown passdb extra field: %s", key);
 	}