> On 16/12/2025 19:30 EET Yurii Krainiuk via dovecot <[email protected]> > wrote: > > > *## Title* > > authCacheFlush HTTP API crashes with assertion failure - type mismatch > between API schema and implementation > > *## Dovecot Version* > > 2.4.2 > > *## Component* > > doveadm HTTP API > > *## Description* > > The authCacheFlush command via doveadm HTTP API causes a server crash with > an assertion failure. The HTTP API schema declares the user parameter as > array type, but the internal implementation (doveadm_cmd_param_str) expects > string type, causing a type mismatch assertion failure. > > *## Steps to Reproduce* > > 1. Send any authCacheFlush request to doveadm HTTP API: > > bash > curl -X POST \ > -H "Authorization: X-Dovecot-API <api_key>" \ > -H "Content-Type: application/json" \ > -d '[["authCacheFlush",{"user":"[email protected]"},"tag1"]]' \ > http://localhost:8080/doveadm/v1 > > 2. Or with user as array (matching the declared schema): > > bash > curl -X POST \ > -H "Authorization: X-Dovecot-API <api_key>" \ > -H "Content-Type: application/json" \ > -d '[["authCacheFlush",{"user":["[email protected]"]},"tag1"]]' \ > http://localhost:8080/doveadm/v1 > > 3. Or without any parameters: > > bash > curl -X POST \ > -H "Authorization: X-Dovecot-API <api_key>" \ > -H "Content-Type: application/json" \ > -d '[["authCacheFlush",{},"tag1"]]' \ > http://localhost:8080/doveadm/v1 > > *## Expected Result* > > Auth cache should be flushed and API returns success response like: > > json > [["doveadmResponse",[{"entries":1}],"tag1"]] > > *## Actual Result* > > Server crashes with empty reply (HTTP connection closed). The doveadm > process is killed with signal 6 (SIGABRT). > > *## Error Log* > > Panic: file doveadm-cmd-parse.c: line 120 (doveadm_cmd_param_str): > assertion failed: (param->type == CMD_PARAM_STR) > Error: Raw backtrace: #0 test_subprocess_fork[0x7362eb54a570] -> #1 > backtrace_append[0x7362eb54a820] -> #2 backtrace_get[0x7362eb54a9c0] -> #3 > e_info[0x7362eb556370] -> #4 i_syslog_fatal_handler[0x7362eb5564b0] -> #5 > i_panic[0x7362eb474f28] -> #6 [unw_get_proc_name() failed: -10] -> #7 > http_server_connection_shut_down[0x7362eb4e6a00] -> #8 > io_loop_call_io[0x7362eb572510] -> #9 > io_loop_handler_run_internal[0x7362eb5743a0] -> #10 > io_loop_handler_run[0x7362eb574540] -> #11 io_loop_run[0x7362eb574740] -> > #12 master_service_run[0x7362eb4bc640] -> #13 main[0x64c4233d74f0] -> #14 > __libc_init_first[0x7362eb02a150] -> #15 __libc_start_main[0x7362eb02a200] > -> #16 _start[0x64c4233d76e0] > Fatal: master: service(doveadm): child 2302469 killed with signal 6 (core > dumped) > > *## API Schema (from GET /doveadm/v1)* > > The API endpoint reports the following schema for authCacheFlush: > > json > { > "command": "authCacheFlush", > "parameters": [ > {"name": "socketPath", "type": "string"}, > {"name": "user", "type": "array"} > ] > } > > *## Analysis* > > The API schema declares user as array, but line 120 in doveadm-cmd-parse.c > calls doveadm_cmd_param_str() which asserts param->type == CMD_PARAM_STR. > This type mismatch causes the crash. > > The relevant assertion in source code: > c > // doveadm-cmd-parse.c:120 > assertion failed: (param->type == CMD_PARAM_STR) > > *## Note* > > - The CLI command doveadm auth cache flush <user> works correctly > - Only the HTTP API is affected > - All authentication methods (X-Dovecot-API header, Basic Auth) produce the > same crash > - The crash occurs regardless of whether parameters are provided or not > > *## Workaround* > > Currently no workaround via HTTP API. Must use CLI directly or via SSH. > > *## Environment* > > - OS: Linux (Ubuntu/Debian) > - Dovecot: 2.4.2 > - doveadm HTTP API enabled on port 8080 > ## Title > > authCacheFlush HTTP API crashes with assertion failure - type mismatch > between API schema and implementation > > ## Dovecot Version > > 2.4.2 > > ## Component > > doveadm HTTP API > > ## Description > > The authCacheFlush command via doveadm HTTP API causes a server crash with > an assertion failure. The HTTP API schema declares the user parameter as > array type, but the internal implementation (doveadm_cmd_param_str) > expects string type, causing a type mismatch assertion failure. > > ## Steps to Reproduce > > 1. Send any authCacheFlush request to doveadm HTTP API: > > bash > curl -X POST \ > -H "Authorization: X-Dovecot-API <api_key>" \ > -H "Content-Type: application/json" \ > -d '[["authCacheFlush",{"user":"[1][email protected]"},"tag1"]]' \ > [2]http://localhost:8080/doveadm/v1 > > 2. Or with user as array (matching the declared schema): > > bash > curl -X POST \ > -H "Authorization: X-Dovecot-API <api_key>" \ > -H "Content-Type: application/json" \ > -d '[["authCacheFlush",{"user":["[3][email protected]"]},"tag1"]]' \ > [4]http://localhost:8080/doveadm/v1 > > 3. Or without any parameters: > > bash > curl -X POST \ > -H "Authorization: X-Dovecot-API <api_key>" \ > -H "Content-Type: application/json" \ > -d '[["authCacheFlush",{},"tag1"]]' \ > [5]http://localhost:8080/doveadm/v1 > > ## Expected Result > > Auth cache should be flushed and API returns success response like: > > json > [["doveadmResponse",[{"entries":1}],"tag1"]] > > ## Actual Result > > Server crashes with empty reply (HTTP connection closed). The doveadm > process is killed with signal 6 (SIGABRT). > > ## Error Log > > Panic: file doveadm-cmd-parse.c: line 120 (doveadm_cmd_param_str): > assertion failed: (param->type == CMD_PARAM_STR) > Error: Raw backtrace: #0 test_subprocess_fork[0x7362eb54a570] -> #1 > backtrace_append[0x7362eb54a820] -> #2 backtrace_get[0x7362eb54a9c0] -> #3 > e_info[0x7362eb556370] -> #4 i_syslog_fatal_handler[0x7362eb5564b0] -> #5 > i_panic[0x7362eb474f28] -> #6 [unw_get_proc_name() failed: -10] -> #7 > http_server_connection_shut_down[0x7362eb4e6a00] -> #8 > io_loop_call_io[0x7362eb572510] -> #9 > io_loop_handler_run_internal[0x7362eb5743a0] -> #10 > io_loop_handler_run[0x7362eb574540] -> #11 io_loop_run[0x7362eb574740] -> > #12 master_service_run[0x7362eb4bc640] -> #13 main[0x64c4233d74f0] -> #14 > __libc_init_first[0x7362eb02a150] -> #15 __libc_start_main[0x7362eb02a200] > -> #16 _start[0x64c4233d76e0] > Fatal: master: service(doveadm): child 2302469 killed with signal 6 (core > dumped) > > ## API Schema (from GET /doveadm/v1) > > The API endpoint reports the following schema for authCacheFlush: > > json > { > "command": "authCacheFlush", > "parameters": [ > {"name": "socketPath", "type": "string"}, > {"name": "user", "type": "array"} > ] > } > > ## Analysis > > The API schema declares user as array, but line 120 in doveadm-cmd-parse.c > calls doveadm_cmd_param_str() which asserts param->type == CMD_PARAM_STR. > This type mismatch causes the crash. > > The relevant assertion in source code: > c > // doveadm-cmd-parse.c:120 > assertion failed: (param->type == CMD_PARAM_STR) > > ## Note > > - The CLI command doveadm auth cache flush <user> works correctly > - Only the HTTP API is affected > - All authentication methods (X-Dovecot-API header, Basic Auth) produce > the same crash > - The crash occurs regardless of whether parameters are provided or not > > ## Workaround > > Currently no workaround via HTTP API. Must use CLI directly or via SSH. > > ## Environment > > - OS: Linux (Ubuntu/Debian) > - Dovecot: 2.4.2 > - doveadm HTTP API enabled on port 8080
Thank you for the bug report, we'll look into. I was able to reproduce this locally. Aki _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
