Mercurial > dovecot > original-hg > dovecot-1.2
changeset 4682:bc071307fc2a HEAD
Require that the "resp" parameter for AUTH command is the last.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 15 Oct 2006 18:52:25 +0300 |
parents | cc110cb8c56b |
children | b60a8aec99ed |
files | doc/auth-protocol.txt src/auth/auth-request-handler.c |
diffstat | 2 files changed, 18 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/auth-protocol.txt Sun Oct 15 18:42:58 2006 +0300 +++ b/doc/auth-protocol.txt Sun Oct 15 18:52:25 2006 +0300 @@ -100,10 +100,14 @@ - lip=<local ip> : Local IP - in standard string format, - rip=<remote ip> : Remote IP - ie. for IPv4 127.0.0.1 and for IPv6 ::1 - - resp=<base64> : Initial response for authentication mechanism - secured : Remote user has secured transport to auth client (eg. localhost, SSL, TLS) - valid-client-cert : Remote user has presented a valid SSL certificate. + - resp=<base64> : Initial response for authentication mechanism. + NOTE: This must be the last parameter. Everything + after it is ignored. This is to avoid accidental + security holes if user-given data is directly put to + base64 string without filtering out tabs. FAIL parameters may contain "reason=.." parameter which should be sent to remote user instead of a standard "Authentication failed" message. For
--- a/src/auth/auth-request-handler.c Sun Oct 15 18:42:58 2006 +0300 +++ b/src/auth/auth-request-handler.c Sun Oct 15 18:52:25 2006 +0300 @@ -288,17 +288,27 @@ if (auth_request_import(request, name, arg)) ; - else if (strcmp(name, "resp") == 0) - initial_resp = arg; else if (strcmp(name, "valid-client-cert") == 0) valid_client_cert = TRUE; + else if (strcmp(name, "resp") == 0) { + initial_resp = arg; + /* this must be the last parameter */ + list++; + break; + } + } + + if (*list != NULL) { + i_error("BUG: Authentication client %u " + "sent AUTH parameters after 'resp'", + handler->client_pid); + return FALSE; } if (request->service == NULL) { i_error("BUG: Authentication client %u " "didn't specify service in request", handler->client_pid); - auth_request_unref(&request); return FALSE; }