[dovecot-cvs] dovecot/src/pop3-login client-authenticate.c, 1.14,
1.15
cras at procontrol.fi
cras at procontrol.fi
Sat May 1 22:09:37 EEST 2004
Update of /home/cvs/dovecot/src/pop3-login
In directory talvi:/tmp/cvs-serv21630/pop3-login
Modified Files:
client-authenticate.c
Log Message:
Don't advertise AUTH=PLAIN unless transport is secure
Index: client-authenticate.c
===================================================================
RCS file: /home/cvs/dovecot/src/pop3-login/client-authenticate.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- client-authenticate.c 25 Nov 2003 01:26:26 -0000 1.14
+++ client-authenticate.c 1 May 2004 19:09:35 -0000 1.15
@@ -34,10 +34,18 @@
str_append(str, "SASL");
for (i = 0; i < AUTH_MECH_COUNT; i++) {
- if ((auth_mechs & auth_mech_desc[i].mech) &&
- auth_mech_desc[i].name != NULL &&
- (client->secured || !auth_mech_desc[i].plaintext ||
- !disable_plaintext_auth)) {
+ if ((auth_mechs & auth_mech_desc[i].mech) == 0)
+ continue; /* not available */
+
+ /* a) transport is secured
+ b) auth mechanism isn't plaintext
+ c) we allow insecure authentication
+ - but don't advertise AUTH=PLAIN,
+ as RFC 2595 requires
+ */
+ if (client->secured || !auth_mech_desc[i].plaintext ||
+ (!disable_plaintext_auth &&
+ auth_mech_desc[i].mech != AUTH_MECH_PLAIN)) {
str_append_c(str, ' ');
str_append(str, auth_mech_desc[i].name);
}
More information about the dovecot-cvs
mailing list