chore: add scram.c.diff patch reference for security fix v3.0

Related to PR #5348 - This diff file documents the security fix for the strtok vulnerability in SCRAM authentication code.
2 months ago · 763d4df535
parent 933168ee28
commit 763d4df535
1 changed files with 24 additions and 0 deletions
--- a/deps/libscram/scram.c.diff
+++ b/deps/libscram/scram.c.diff
@ -0,0 +1,24 @@
+--- /tmp/scram.c	2026-02-07 13:03:15
+++ src/scram.c	2026-02-07 13:04:12
+@@ -271,15 +271,16 @@
+ 	s = strdup(secret);
+ 	if (!s)
+ 		goto invalid_secret;
+-	if ((scheme_str = strtok(s, "$")) == NULL)
+	char *saveptr;
+	if ((scheme_str = strtok_r(s, "$", &saveptr)) == NULL)
+ 		goto invalid_secret;
+-	if ((iterations_str = strtok(NULL, ":")) == NULL)
+	if ((iterations_str = strtok_r(NULL, ":", &saveptr)) == NULL)
+ 		goto invalid_secret;
+-	if ((salt_str = strtok(NULL, "$")) == NULL)
+	if ((salt_str = strtok_r(NULL, "$", &saveptr)) == NULL)
+ 		goto invalid_secret;
+-	if ((storedkey_str = strtok(NULL, ":")) == NULL)
+	if ((storedkey_str = strtok_r(NULL, ":", &saveptr)) == NULL)
+ 		goto invalid_secret;
+-	if ((serverkey_str = strtok(NULL, "")) == NULL)
+	if ((serverkey_str = strtok_r(NULL, "", &saveptr)) == NULL)
+ 		goto invalid_secret;
+ 
+ 	/* Parse the fields */