dovecot-1.0: If trying to log in with password having illegal ch...
dovecot at dovecot.org
dovecot at dovecot.org
Sun Mar 9 13:04:55 EET 2008
details: http://hg.dovecot.org/dovecot-1.0/rev/da2a9372e26e
changeset: 5538:da2a9372e26e
user: Timo Sirainen <tss at iki.fi>
date: Sun Mar 09 12:45:19 2008 +0200
description:
If trying to log in with password having illegal characters, make sure we
fail early.
diffstat:
1 file changed, 25 insertions(+), 1 deletion(-)
src/auth/auth-request.c | 26 +++++++++++++++++++++++++-
diffs (43 lines):
diff -r 6a1792255faf -r da2a9372e26e src/auth/auth-request.c
--- a/src/auth/auth-request.c Sun Mar 09 12:36:55 2008 +0200
+++ b/src/auth/auth-request.c Sun Mar 09 12:45:19 2008 +0200
@@ -414,6 +414,23 @@ void auth_request_verify_plain_callback(
auth_request_verify_plain_callback_finish(result, request);
}
+static bool password_has_illegal_chars(const char *password)
+{
+ for (; *password != '\0'; password++) {
+ switch (*password) {
+ case '\001':
+ case '\t':
+ case '\r':
+ case '\n':
+ /* these characters have a special meaning in internal
+ protocols, make sure the password doesn't
+ accidentally get there unescaped. */
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
void auth_request_verify_plain(struct auth_request *request,
const char *password,
verify_plain_callback_t *callback)
@@ -431,7 +448,14 @@ void auth_request_verify_plain(struct au
"Attempted master login with no master passdbs");
callback(PASSDB_RESULT_USER_UNKNOWN, request);
return;
- }
+ }
+
+ if (password_has_illegal_chars(password)) {
+ auth_request_log_info(request, "passdb",
+ "Attempted login with password having illegal chars");
+ callback(PASSDB_RESULT_USER_UNKNOWN, request);
+ return;
+ }
passdb = request->passdb->passdb;
if (request->mech_password == NULL)
More information about the dovecot-cvs
mailing list