--- a/doc/auth-protocol.txt	Sun Oct 15 18:42:58 2006 +0300
+++ b/doc/auth-protocol.txt	Sun Oct 15 18:52:25 2006 +0300
@@ -100,10 +100,14 @@
 
  - lip=<local ip>    : Local IP  - in standard string format,
  - rip=<remote ip>   : Remote IP - ie. for IPv4 127.0.0.1 and for IPv6 ::1
- - resp=<base64>     : Initial response for authentication mechanism
  - secured           : Remote user has secured transport to auth client
                        (eg. localhost, SSL, TLS)
  - valid-client-cert : Remote user has presented a valid SSL certificate.
+ - resp=<base64>     : Initial response for authentication mechanism.
+                       NOTE: This must be the last parameter. Everything
+		       after it is ignored. This is to avoid accidental
+		       security holes if user-given data is directly put to
+		       base64 string without filtering out tabs.
 
 FAIL parameters may contain "reason=.." parameter which should be sent to
 remote user instead of a standard "Authentication failed" message. For

--- a/src/auth/auth-request-handler.c	Sun Oct 15 18:42:58 2006 +0300
+++ b/src/auth/auth-request-handler.c	Sun Oct 15 18:52:25 2006 +0300
@@ -288,17 +288,27 @@
 
 		if (auth_request_import(request, name, arg))
 			;
-		else if (strcmp(name, "resp") == 0)
-			initial_resp = arg;
 		else if (strcmp(name, "valid-client-cert") == 0)
 			valid_client_cert = TRUE;
+		else if (strcmp(name, "resp") == 0) {
+			initial_resp = arg;
+			/* this must be the last parameter */
+			list++;
+			break;
+		}
+	}
+
+	if (*list != NULL) {
+		i_error("BUG: Authentication client %u "
+			"sent AUTH parameters after 'resp'",
+			handler->client_pid);
+		return FALSE;
 	}
 
 	if (request->service == NULL) {
 		i_error("BUG: Authentication client %u "
 			"didn't specify service in request",
 			handler->client_pid);
-		auth_request_unref(&request);
 		return FALSE;
 	}