From 2569288232a0e9530de363fe5feb012a81dda314 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Wed, 6 May 2026 21:25:27 +0200
Subject: [PATCH] CVE-2026-44055: afpd: correct bitwise check and escape user
 in FCE notify script

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 etc/afpd/fce_api.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/etc/afpd/fce_api.c b/etc/afpd/fce_api.c
index 2c75deddc..54a6d71af 100644
--- a/etc/afpd/fce_api.c
+++ b/etc/afpd/fce_api.c
@@ -440,8 +440,12 @@ static void send_fce_event(const AFPObj *obj, int event, const char *path,
             bformata(cmd, " -p %" PRIu64 "", (uint64_t)getpid());
         }
 
-        if (fce_ev_info | FCE_EV_INFO_USER) {
-            bformata(cmd, " -u %s", user);
+        if (fce_ev_info & FCE_EV_INFO_USER) {
+            bstring buser = bfromcstr(user);
+            bfindreplace(buser, slash, slashrep, 0);
+            bfindreplace(buser, quote, quoterep, 0);
+            bformata(cmd, " -u '%s'", bdata(buser));
+            bdestroy(buser);
         }
 
         if (oldpath) {