diff -durN cyrus-sasl-2.1.10.orig/lib/common.c cyrus-sasl-2.1.10/lib/common.c
--- cyrus-sasl-2.1.10.orig/lib/common.c Thu Dec 5 15:00:38 2002
+++ cyrus-sasl-2.1.10/lib/common.c Thu Jan 9 11:42:29 2003
-@@ -1040,6 +1040,20 @@
+@@ -1040,6 +1040,22 @@
}
static int
+_sasl_getconfpath(void *context __attribute__((unused)),
+ char ** path_dest)
+{
-+ char *path;
++ char *path = NULL;
+
+ if (! path_dest)
+ return SASL_BADPARAM;
-+ path = getenv(SASL_CONF_PATH_ENV_VAR);
++ /* Honor external variable only in a safe environment */
++ if (getuid() == geteuid() && getgid() == getegid())
++ path = getenv(SASL_CONF_PATH_ENV_VAR);
+ if (! path)
+ path = CONFIGDIR;
+ return _sasl_strdup(path, path_dest, NULL);
_sasl_verifyfile(void *context __attribute__((unused)),
char *file __attribute__((unused)),
int type __attribute__((unused)))
-@@ -1147,6 +1161,10 @@
+@@ -1147,6 +1163,10 @@
*pproc = (int (*)()) &_sasl_getpath;
*pcontext = NULL;
return SASL_OK;
case SASL_CB_AUTHNAME:
*pproc = (int (*)()) &_sasl_getsimple;
*pcontext = conn;
-@@ -1475,6 +1493,30 @@
+@@ -1475,6 +1495,30 @@
}
const sasl_callback_t *
_sasl_find_verifyfile_callback(const sasl_callback_t *callbacks);
extern int _sasl_common_init(void);
---- cyrus-sasl-2.1.17/lib/server.c.orig 2003-11-14 17:49:07.000000000 +0100
-+++ cyrus-sasl-2.1.17/lib/server.c 2003-12-03 22:48:32.585083464 +0100
-@@ -436,15 +436,15 @@
+--- cyrus-sasl-2.1.19/lib/server.c.orig 2004-07-06 15:42:23.000000000 +0200
++++ cyrus-sasl-2.1.19/lib/server.c 2004-07-25 18:46:12.483590936 +0200
+@@ -462,7 +462,7 @@
size_t path_len;
char *config_filename=NULL;
size_t len;
- const sasl_callback_t *getpath_cb=NULL;
+ const sasl_callback_t *getconfpath_cb=NULL;
+ /* If appname was not provided, behave as if there is no config file
+ (see also sasl_config_init() */
+@@ -471,12 +471,12 @@
+ }
+
/* get the path to the plugins; for now the config file will reside there */
- getpath_cb=_sasl_find_getpath_callback( global_callbacks.callbacks );
- if (getpath_cb==NULL) return SASL_BADPARAM;
+ if (getconfpath_cb==NULL) return SASL_BADPARAM;
- /* getpath_cb->proc MUST be a sasl_getpath_t; if only c had a type
-+ /* getconfpath_cb->proc MUST be a sasl_getpath_t; if only c had a type
++ /* getconfpath_cb->proc MUST be a sasl_getconfpath_t; if only c had a type
system */
- result = ((sasl_getpath_t *)(getpath_cb->proc))(getpath_cb->context,
+ result = ((sasl_getconfpath_t *)(getconfpath_cb->proc))(getconfpath_cb->context,