[Commits] [SCM] claws branch, master, updated. 3.18.0-223-g10c688b98

wwp at claws-mail.org wwp at claws-mail.org
Thu Sep 30 20:58:50 CEST 2021


The branch, master has been updated
       via  10c688b98dd59359c517ea5d111f74300771abd0 (commit)
      from  5e768abb601caac20e4506e125789b1a18b9af71 (commit)

Summary of changes:
 src/oauth2.c | 158 ++++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 114 insertions(+), 44 deletions(-)


- Log -----------------------------------------------------------------
commit 10c688b98dd59359c517ea5d111f74300771abd0
Author: wwp <subscript at free.fr>
Date:   Thu Sep 30 20:58:46 2021 +0200

    Fix CID 1491155, 1491195, 1491219, 1491279, 1491295, 1491299, 1491305, 1491351: resource leaks.

diff --git a/src/oauth2.c b/src/oauth2.c
index d7e663008..21b9f7502 100644
--- a/src/oauth2.c
+++ b/src/oauth2.c
@@ -226,7 +226,7 @@ int oauth2_obtain_tokens (Oauth2Service provider, OAUTH2Data *OAUTH2Data, const
 	gchar *client_id;
 	gchar *client_secret;
     gchar *token = NULL;
-
+    gchar *tmp;
 	gint i;
 
 	i = (int)provider - 1;
@@ -279,21 +279,45 @@ int oauth2_obtain_tokens (Oauth2Service provider, OAUTH2Data *OAUTH2Data, const
 	    client_secret = g_strdup(OAUTH2Data->custom_client_secret);
 	  else
 	    client_secret = oauth2_decode(OAUTH2info[i][OA2_CLIENT_SECRET]);
-	  body = g_strconcat (body, "&client_secret=", g_uri_escape_string (client_secret, NULL, FALSE), NULL);
+	  uri = g_uri_escape_string (client_secret, NULL, FALSE);
+	  tmp = g_strconcat (body, "&client_secret=", uri, NULL);
+	  g_free(body);
+      g_free(uri);
+	  body = tmp;
 	}else{
 	  client_secret = g_strconcat ("", NULL);
 	}
 
-	if(OAUTH2info[i][OA2_REDIRECT_URI][0])
-	  body = g_strconcat (body, "&redirect_uri=",g_uri_escape_string (OAUTH2info[i][OA2_REDIRECT_URI], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_GRANT_TYPE_ACCESS][0])
-	  body = g_strconcat (body, "&grant_type=", g_uri_escape_string (OAUTH2info[i][OA2_GRANT_TYPE_ACCESS], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_TENANT][0])
-	  body = g_strconcat (body, "&tenant=", g_uri_escape_string (OAUTH2info[i][OA2_TENANT], NULL, FALSE), NULL);	
-	if(OAUTH2info[i][OA2_SCOPE_FOR_ACCESS][0])
-	  body = g_strconcat (body, "&scope=", g_uri_escape_string (OAUTH2info[i][OA2_SCOPE_FOR_ACCESS], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_STATE][0])
-	  body = g_strconcat (body, "&state=", g_uri_escape_string (OAUTH2info[i][OA2_STATE], NULL, FALSE), NULL);
+	if(OAUTH2info[i][OA2_REDIRECT_URI][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_REDIRECT_URI], NULL, FALSE);
+	  tmp = g_strconcat (body, "&redirect_uri=", uri, NULL);
+	  g_free(body);
+	  body = tmp;
+	}
+	if(OAUTH2info[i][OA2_GRANT_TYPE_ACCESS][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_GRANT_TYPE_ACCESS], NULL, FALSE);
+	  tmp = g_strconcat (body, "&grant_type=", uri, NULL);
+	  g_free(body);
+	  body = tmp;
+	}
+	if(OAUTH2info[i][OA2_TENANT][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_TENANT], NULL, FALSE);
+	  tmp = g_strconcat (body, "&tenant=", uri, NULL);
+	  g_free(body);
+	  body = tmp;
+	}
+	if(OAUTH2info[i][OA2_SCOPE_FOR_ACCESS][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_SCOPE_FOR_ACCESS], NULL, FALSE);
+	  tmp = g_strconcat (body, "&scope=", uri, NULL);
+	  g_free(body);
+	  body = tmp;
+	}
+	if(OAUTH2info[i][OA2_STATE][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_STATE], NULL, FALSE);
+	  tmp = g_strconcat (body, "&state=", uri, NULL);
+	  g_free(body);
+	  body = tmp;
+	}
 
 	if(OAUTH2info[i][OA2_HEADER_AUTH_BASIC][0]){
 	  tmp_hd = g_strconcat(client_id, ":", client_secret, NULL);
@@ -346,6 +370,7 @@ gint oauth2_use_refresh_token (Oauth2Service provider, OAUTH2Data *OAUTH2Data)
 	gchar *request;
 	gchar *response;
 	gchar *body;
+	gchar *uri;
 	gchar *header;
 	gchar *tmp_hd, *tmp_hd_encoded;
 	gchar *access_token;
@@ -354,7 +379,7 @@ gint oauth2_use_refresh_token (Oauth2Service provider, OAUTH2Data *OAUTH2Data)
 	SockInfo *sock;
 	gchar *client_id;
 	gchar *client_secret;
-
+	gchar *tmp;
 	gint i;
 
 	i = (int)provider - 1;
@@ -385,8 +410,9 @@ gint oauth2_use_refresh_token (Oauth2Service provider, OAUTH2Data *OAUTH2Data)
 	else
 	  client_id = oauth2_decode(OAUTH2info[i][OA2_CLIENT_ID]);
 
-	body = g_strconcat ("client_id=", g_uri_escape_string (client_id, NULL, FALSE), 
-			    "&refresh_token=",OAUTH2Data->refresh_token, NULL); 
+	uri = g_uri_escape_string (client_id, NULL, FALSE);
+	body = g_strconcat ("client_id=", uri, "&refresh_token=",OAUTH2Data->refresh_token, NULL); 
+	g_free(uri);
 
 	if(OAUTH2info[i][OA2_CLIENT_SECRET][0]){
 	  //Only allow custom client secret if the service provider would usually expect a client secret
@@ -394,17 +420,36 @@ gint oauth2_use_refresh_token (Oauth2Service provider, OAUTH2Data *OAUTH2Data)
 	    client_secret = g_strdup(OAUTH2Data->custom_client_secret);
 	  else
 	    client_secret = oauth2_decode(OAUTH2info[i][OA2_CLIENT_SECRET]);
-	  body = g_strconcat (body, "&client_secret=", g_uri_escape_string (client_secret, NULL, FALSE), NULL);
+	  uri = g_uri_escape_string (client_secret, NULL, FALSE);
+	  tmp = g_strconcat (body, "&client_secret=", uri, NULL);
+	  g_free(body);
+	  g_free(uri);
+	  body = tmp;
 	}else{
 	  client_secret = g_strconcat ("", NULL);
 	}
 
-	if(OAUTH2info[i][OA2_GRANT_TYPE_REFRESH][0])
-	  body = g_strconcat (body, "&grant_type=", g_uri_escape_string (OAUTH2info[i][OA2_GRANT_TYPE_REFRESH], NULL, FALSE), NULL);	
-	if(OAUTH2info[i][OA2_SCOPE_FOR_ACCESS][0])
-	  body = g_strconcat (body, "&scope=", g_uri_escape_string (OAUTH2info[i][OA2_SCOPE_FOR_ACCESS], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_STATE][0])
-	  body = g_strconcat (body, "&state=", g_uri_escape_string (OAUTH2info[i][OA2_STATE], NULL, FALSE), NULL);
+	if(OAUTH2info[i][OA2_GRANT_TYPE_REFRESH][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_GRANT_TYPE_REFRESH], NULL, FALSE);
+	  tmp = g_strconcat (body, "&grant_type=", uri, NULL);	
+	  g_free(body);
+	  g_free(uri);
+	  body = tmp;
+	}
+	if(OAUTH2info[i][OA2_SCOPE_FOR_ACCESS][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_SCOPE_FOR_ACCESS], NULL, FALSE);
+	  tmp = g_strconcat (body, "&scope=", uri, NULL);
+	  g_free(body);
+	  g_free(uri);
+	  body = tmp;
+	}
+	if(OAUTH2info[i][OA2_STATE][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_STATE], NULL, FALSE);
+	  tmp = g_strconcat (body, "&state=", uri, NULL);
+	  g_free(body);
+	  g_free(uri);
+	  body = tmp;
+	}
 
 	if(OAUTH2info[i][OA2_HEADER_AUTH_BASIC][0]){
 	  tmp_hd = g_strconcat(client_id, ":", client_secret, NULL);
@@ -453,7 +498,7 @@ static gint oauth2_contact_server (SockInfo *sock, gchar *request, gchar *respon
 	gchar *token;
 	gint toread = OAUTH2BUFSIZE;	
 	time_t startplus = time(NULL);
-	
+	gchar *tmp;
 	len = strlen(request);
 	
 	startplus += 10;
@@ -475,7 +520,9 @@ static gint oauth2_contact_server (SockInfo *sock, gchar *request, gchar *respon
 	    break;
 	  
 	  toread -= ret;
-	  token = g_strconcat(token, response, NULL);
+	  tmp = g_strconcat(token, response, NULL);
+	  g_free(token);
+	  token = tmp;
 	} while ((toread > 0) && (time(NULL) < startplus)); 
 	
 	if(time(NULL) >= startplus)
@@ -488,33 +535,56 @@ static gint oauth2_contact_server (SockInfo *sock, gchar *request, gchar *respon
 
 gint oauth2_authorisation_url (Oauth2Service provider, gchar **url, const gchar *custom_client_id)
 {
-        gint i;
-	const gchar *client_id;
+	gint i;
+	gchar *client_id = NULL;
+	gchar *tmp;
+	gchar *uri;
 
 	i = (int)provider - 1;
 	if (i < 0 || i > (OAUTH2AUTH_LAST-1))
 	  return (1);
 	
-	if(custom_client_id)
-	  client_id = custom_client_id;
-	else
+	if(!custom_client_id)
 	  client_id = oauth2_decode(OAUTH2info[i][OA2_CLIENT_ID]);
 	
-	*url = g_strconcat ("https://", OAUTH2info[i][OA2_BASE_URL],OAUTH2info[i][OA2_AUTH_RESOURCE], "?client_id=",
-			    g_uri_escape_string (client_id, NULL, FALSE), NULL);
-			    
-	if(OAUTH2info[i][OA2_REDIRECT_URI][0])
-	  *url = g_strconcat (*url, "&redirect_uri=", g_uri_escape_string (OAUTH2info[i][OA2_REDIRECT_URI], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_RESPONSE_TYPE][0])
-	  *url = g_strconcat (*url, "&response_type=",g_uri_escape_string (OAUTH2info[i][OA2_RESPONSE_TYPE], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_SCOPE_FOR_AUTH][0])
-	  *url = g_strconcat (*url, "&scope=", g_uri_escape_string (OAUTH2info[i][OA2_SCOPE_FOR_AUTH], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_TENANT][0])
-	  *url = g_strconcat (*url, "&tenant=", g_uri_escape_string (OAUTH2info[i][OA2_TENANT], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_RESPONSE_MODE][0])
-	  *url = g_strconcat (*url, "&response_mode=", g_uri_escape_string (OAUTH2info[i][OA2_RESPONSE_MODE], NULL, FALSE), NULL);
-	if(OAUTH2info[i][OA2_STATE][0])
-	  *url = g_strconcat (*url, "&state=", g_uri_escape_string (OAUTH2info[i][OA2_STATE], NULL, FALSE), NULL);
+	uri = g_uri_escape_string (custom_client_id ? custom_client_id : client_id, NULL, FALSE);
+	tmp = g_strconcat ("https://", OAUTH2info[i][OA2_BASE_URL],OAUTH2info[i][OA2_AUTH_RESOURCE], "?client_id=",
+			    uri, NULL);
+	g_free(uri);
+	if (client_id)
+	  g_free(client_id);
+
+	if(OAUTH2info[i][OA2_REDIRECT_URI][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_REDIRECT_URI], NULL, FALSE);
+	  *url = g_strconcat (tmp, "&redirect_uri=", uri, NULL);
+	  g_free(uri);
+	}  
+	if(OAUTH2info[i][OA2_RESPONSE_TYPE][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_RESPONSE_TYPE], NULL, FALSE);
+	  *url = g_strconcat (tmp, "&response_type=", uri, NULL);
+	  g_free(uri);
+	}  
+	if(OAUTH2info[i][OA2_SCOPE_FOR_AUTH][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_SCOPE_FOR_AUTH], NULL, FALSE);
+	  *url = g_strconcat (tmp, "&scope=", uri, NULL);
+	  g_free(uri);
+	}  
+	if(OAUTH2info[i][OA2_TENANT][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_TENANT], NULL, FALSE);
+	  *url = g_strconcat (tmp, "&tenant=", uri, NULL);
+	  g_free(uri);
+	}  
+	if(OAUTH2info[i][OA2_RESPONSE_MODE][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_RESPONSE_MODE], NULL, FALSE);
+	  *url = g_strconcat (tmp, "&response_mode=", uri, NULL);
+	  g_free(uri);
+	}  
+	if(OAUTH2info[i][OA2_STATE][0]) {
+	  uri = g_uri_escape_string (OAUTH2info[i][OA2_STATE], NULL, FALSE);
+	  *url = g_strconcat (tmp, "&state=", uri, NULL);
+	  g_free(uri);
+	}  
+	g_free(tmp);
 
 	return (0);
 }

-----------------------------------------------------------------------


hooks/post-receive
-- 
Claws Mail


More information about the Commits mailing list