Don't do printf interpolation on config('me')

The code feeds the results of $session->config('me') to sprintf as part of the format string. In practice, this is probably not a problem since hostnames don't contain percent signs. However, it triggers a taint warning in perl 5.10, making cram-md5 auth unusable. This patch rewrites the sprintf to insert the 'me' value using a %s format specifier.
2009-01-05 06:34:59 +00:00 · 2009-01-05 06:34:59 +00:00 · e4cb191047
commit e4cb191047
parent 4bbdd551b4
1 changed files with 2 additions and 2 deletions
--- a/lib/Qpsmtpd/Auth.pm
+++ b/lib/Qpsmtpd/Auth.pm
@ -60,8 +60,8 @@ sub SASL {
        # rand() is not cryptographic, but we only need to generate a globally
        # unique number.  The rand() is there in case the user logs in more than
        # once in the same second, of if the clock is skewed.
-        $ticket = sprintf( "<%x.%x\@" . $session->config("me") . ">",
-            rand(1000000), time() );
+        $ticket = sprintf( '<%x.%x@%s>',
+            rand(1000000), time(), $session->config("me") );

        # We send the ticket encoded in Base64
        $session->respond( 334, encode_base64( $ticket, "" ) );