Mercurial > dovecot > original-hg > dovecot-1.2
changeset 7389:1125d2d59e82 HEAD
If trying to log in with password having illegal characters, make sure we
fail early.
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Sun, 09 Mar 2008 12:45:17 +0200 |
| parents | 08d31d752893 |
| children | 04297ce26b78 |
| files | src/auth/auth-request.c |
| diffstat | 1 files changed, 25 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request.c Sun Mar 09 12:37:26 2008 +0200 +++ b/src/auth/auth-request.c Sun Mar 09 12:45:17 2008 +0200 @@ -426,6 +426,23 @@ auth_request_verify_plain_callback_finish(result, request); } +static bool password_has_illegal_chars(const char *password) +{ + for (; *password != '\0'; password++) { + switch (*password) { + case '\001': + case '\t': + case '\r': + case '\n': + /* these characters have a special meaning in internal + protocols, make sure the password doesn't + accidentally get there unescaped. */ + return TRUE; + } + } + return FALSE; +} + void auth_request_verify_plain(struct auth_request *request, const char *password, verify_plain_callback_t *callback) @@ -443,7 +460,14 @@ "Attempted master login with no master passdbs"); callback(PASSDB_RESULT_USER_UNKNOWN, request); return; - } + } + + if (password_has_illegal_chars(password)) { + auth_request_log_info(request, "passdb", + "Attempted login with password having illegal chars"); + callback(PASSDB_RESULT_USER_UNKNOWN, request); + return; + } passdb = request->passdb->passdb; if (request->mech_password == NULL)