From 3d4a9ac29cf10f545bd68772156265ad6bc94d2c Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 8 Aug 2024 09:35:27 +0200
Subject: [PATCH] Fix #3364

(cherry picked from commit ee243ea735744b296bb90b2c1e6a1fded8915c8d)
---
 core/nginx/dovecot/login.lua        | 13 +++++++++++--
 towncrier/newsfragments/3364.bugfix |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 towncrier/newsfragments/3364.bugfix

diff --git a/core/nginx/dovecot/login.lua b/core/nginx/dovecot/login.lua
index d24de149..a93b4b29 100644
--- a/core/nginx/dovecot/login.lua
+++ b/core/nginx/dovecot/login.lua
@@ -10,15 +10,24 @@ local http_client = dovecot.http.client {
     max_attempts = 3;
 }
 
+-- on the other end we use urllib.parse.unquote()
+function urlEncode(str)
+    return str:gsub("[^%w_.-~]", function(c)
+        return string.format("%%%02X", string.byte(c))
+    end)
+end
+
 function auth_passdb_lookup(req)
   local auth_request = http_client:request {
     url = "http://{{ ADMIN_ADDRESS }}:8080/internal/auth/email";
   }
   auth_request:add_header('Auth-Port', req.local_port)
-  auth_request:add_header('Auth-User', req.user)
+  local user = urlEncode(req.user)
+  auth_request:add_header('Auth-User', user)
   if req.password ~= nil
   then
-    auth_request:add_header('Auth-Pass', req.password)
+    local password = urlEncode(req.password)
+    auth_request:add_header('Auth-Pass', password)
   end
   auth_request:add_header('Auth-Protocol', req.service)
   auth_request:add_header('Client-IP', req.remote_ip)
diff --git a/towncrier/newsfragments/3364.bugfix b/towncrier/newsfragments/3364.bugfix
new file mode 100644
index 00000000..10e56cf3
--- /dev/null
+++ b/towncrier/newsfragments/3364.bugfix
@@ -0,0 +1 @@
+Fix a bug preventing percent characters from being used in passwords