Re: [exim] [Dovecot] request to have dovecot authenticator d…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: Timo Sirainen
CC: exim-users, dovecot
Sujet: Re: [exim] [Dovecot] request to have dovecot authenticator driver 'officially' included/supported
On Sun, 8 Oct 2006, Timo Sirainen wrote:

> I mentioned this before too, but in case you didn't notice:


I didn't. :-) Thanks.

> int auth_dovecot_server(auth_instance *ablock, uschar *data)
> ..
>        fprintf(f, "VERSION\t%d\t%d\nCPID\t%d\n"
>                "AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n",
>                VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
>                ablock->public_name, sender_host_address, interface_address,
>                data ? (char *) data : "");

>
> Can data parameter contain tab characters? If it can, you should prevent
> them from going to dovecot-auth.


Indeed. However, the only one of those fields that might contain tabs is
"data", but it is supposed to be base-64 encoded, so it shouldn't.
However, some evil person might send an illegal tab in there I suppose.
Exim can trivially check for tabs or that the data is valid base-64, but
shouldn't Dovecot also do that? The Dovecot home page says "Dovecot is
an open source IMAP and POP3 server for Linux/UNIX-like systems, written
with security primarily in mind." I would hope, therefore, that whatever
junk was passed to it would be rigorously checked.

I'll put in a test for tabs. I am disappointed that new software should
be using tabs as separators, however. They are confusing and lead to no
end of trouble in other places where they are used like this (Makefiles,
Sendmail configs, for example). See, for example, discussion in

http://www.cs.umd.edu/class/spring2002/cmsc214/Tutorial/makefile.html

(which I found with a quick Google). I personally think that all
whitespace characters should be treated as equal. You can't distinguish
tabs from spaces when they are displayed, and if you cut and paste text,
tabs can get lost.

-- 
Philip Hazel            University of Cambridge Computing Service
Get the Exim 4 book:    http://www.uit.co.uk/exim-book