dovecot-1.1: If trying to log in with password having illegal ch...
dovecot at dovecot.org
dovecot at dovecot.org
Sun Mar 9 13:04:50 EET 2008
details: http://hg.dovecot.org/dovecot-1.1/rev/1125d2d59e82
changeset: 7389:1125d2d59e82
user: Timo Sirainen <tss at iki.fi>
date: Sun Mar 09 12:45:17 2008 +0200
description:
If trying to log in with password having illegal characters, make sure we
fail early.
diffstat:
1 file changed, 25 insertions(+), 1 deletion(-)
src/auth/auth-request.c | 26 +++++++++++++++++++++++++-
diffs (43 lines):
diff -r 08d31d752893 -r 1125d2d59e82 src/auth/auth-request.c
--- a/src/auth/auth-request.c Sun Mar 09 12:37:26 2008 +0200
+++ b/src/auth/auth-request.c Sun Mar 09 12:45:17 2008 +0200
@@ -426,6 +426,23 @@ void auth_request_verify_plain_callback(
auth_request_verify_plain_callback_finish(result, request);
}
+static bool password_has_illegal_chars(const char *password)
+{
+ for (; *password != '\0'; password++) {
+ switch (*password) {
+ case '\001':
+ case '\t':
+ case '\r':
+ case '\n':
+ /* these characters have a special meaning in internal
+ protocols, make sure the password doesn't
+ accidentally get there unescaped. */
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
void auth_request_verify_plain(struct auth_request *request,
const char *password,
verify_plain_callback_t *callback)
@@ -443,7 +460,14 @@ void auth_request_verify_plain(struct au
"Attempted master login with no master passdbs");
callback(PASSDB_RESULT_USER_UNKNOWN, request);
return;
- }
+ }
+
+ if (password_has_illegal_chars(password)) {
+ auth_request_log_info(request, "passdb",
+ "Attempted login with password having illegal chars");
+ callback(PASSDB_RESULT_USER_UNKNOWN, request);
+ return;
+ }
passdb = request->passdb->passdb;
if (request->mech_password == NULL)
More information about the dovecot-cvs
mailing list