Mercurial > dovecot > original-hg > dovecot-1.2
diff src/imap-login/client-authenticate.c @ 1949:d2755efdd187 HEAD
Don't advertise AUTH=PLAIN unless transport is secure
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sat, 01 May 2004 22:09:34 +0300 |
parents | 07324c0d1d0a |
children | dc5d0da1abe9 |
line wrap: on
line diff
--- a/src/imap-login/client-authenticate.c Sat May 01 21:44:40 2004 +0300 +++ b/src/imap-login/client-authenticate.c Sat May 01 22:09:34 2004 +0300 @@ -34,10 +34,17 @@ str = t_str_new(128); for (i = 0; i < AUTH_MECH_COUNT; i++) { - if ((auth_mechs & auth_mech_desc[i].mech) && - auth_mech_desc[i].name != NULL && - (secured || !auth_mech_desc[i].plaintext || - !disable_plaintext_auth)) { + if ((auth_mechs & auth_mech_desc[i].mech) == 0) + continue; /* not available */ + + /* a) transport is secured + b) auth mechanism isn't plaintext + c) we allow insecure authentication + - but don't advertise AUTH=PLAIN, as RFC 2595 requires + */ + if (secured || !auth_mech_desc[i].plaintext || + (!disable_plaintext_auth && + auth_mech_desc[i].mech != AUTH_MECH_PLAIN)) { str_append_c(str, ' '); str_append(str, "AUTH="); str_append(str, auth_mech_desc[i].name);