dovecot-1.0: If trying to log in with password having illegal ch...

dovecot at dovecot.org dovecot at dovecot.org
Sun Mar 9 13:04:55 EET 2008


details:   http://hg.dovecot.org/dovecot-1.0/rev/da2a9372e26e
changeset: 5538:da2a9372e26e
user:      Timo Sirainen <tss at iki.fi>
date:      Sun Mar 09 12:45:19 2008 +0200
description:
If trying to log in with password having illegal characters, make sure we
fail early.

diffstat:

1 file changed, 25 insertions(+), 1 deletion(-)
src/auth/auth-request.c |   26 +++++++++++++++++++++++++-

diffs (43 lines):

diff -r 6a1792255faf -r da2a9372e26e src/auth/auth-request.c
--- a/src/auth/auth-request.c	Sun Mar 09 12:36:55 2008 +0200
+++ b/src/auth/auth-request.c	Sun Mar 09 12:45:19 2008 +0200
@@ -414,6 +414,23 @@ void auth_request_verify_plain_callback(
 	auth_request_verify_plain_callback_finish(result, request);
 }
 
+static bool password_has_illegal_chars(const char *password)
+{
+	for (; *password != '\0'; password++) {
+		switch (*password) {
+		case '\001':
+		case '\t':
+		case '\r':
+		case '\n':
+			/* these characters have a special meaning in internal
+			   protocols, make sure the password doesn't
+			   accidentally get there unescaped. */
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
 void auth_request_verify_plain(struct auth_request *request,
 			       const char *password,
 			       verify_plain_callback_t *callback)
@@ -431,7 +448,14 @@ void auth_request_verify_plain(struct au
 			"Attempted master login with no master passdbs");
 		callback(PASSDB_RESULT_USER_UNKNOWN, request);
 		return;
-        }
+	}
+
+	if (password_has_illegal_chars(password)) {
+		auth_request_log_info(request, "passdb",
+			"Attempted login with password having illegal chars");
+		callback(PASSDB_RESULT_USER_UNKNOWN, request);
+		return;
+	}
 
         passdb = request->passdb->passdb;
 	if (request->mech_password == NULL)


More information about the dovecot-cvs mailing list