[Dovecot] where are variables expanded? Was: %d does not expand to domain
Giuliano Gavazzi
dev+lists at humph.com
Thu Apr 30 12:51:48 EEST 2009
On W 29 Apr, 2009, at 22:21 , Giuliano Gavazzi wrote:
> I am trying to patch the source so that the %d expansion variable
> uses original_username (instead of user I suppose) of auth_request,
> but I cannot find where this expansion is done..
> Pointers?
>
> Thanks
> Giuliano
I thought it was in auth_request_get_var_expand_table, and changed thus:
//GG tab[2].value = strchr(auth_request->user, '@');
tab[2].value = strchr(auth_request->original_username,
'@'); //GG test to keep domain
but this makes no difference (well, not in the expansion for
mail_location).
I found other places where var_expand_table is set (easy, as you
always use tab as a local variable), but as they were not passed
auth_request it was not possible to get the original_username.
I think I can see a reason behind this: ignoring the domain passed
when authenticating means that the domain part has not been checked
and thus its use unwarranted. In the case of system users this would
pose no threat, but for virtual users it might, in principle, allow an
unauthorised access to other maildirs.
Giuliano
More information about the dovecot
mailing list