On Sun, 8 Oct 2006, Timo Sirainen wrote:
> I mentioned this before too, but in case you didn't notice:
I didn't. :-) Thanks.
> int auth_dovecot_server(auth_instance *ablock, uschar *data)
> ..
> fprintf(f, "VERSION\t%d\t%d\nCPID\t%d\n"
> "AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n",
> VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
> ablock->public_name, sender_host_address, interface_address,
> data ? (char *) data : "");
>
> Can data parameter contain tab characters? If it can, you should prevent
> them from going to dovecot-auth.
Indeed. However, the only one of those fields that might contain tabs is
"data", but it is supposed to be base-64 encoded, so it shouldn't.
However, some evil person might send an illegal tab in there I suppose.
Exim can trivially check for tabs or that the data is valid base-64, but
shouldn't Dovecot also do that? The Dovecot home page says "Dovecot is
an open source IMAP and POP3 server for Linux/UNIX-like systems, written
with security primarily in mind." I would hope, therefore, that whatever
junk was passed to it would be rigorously checked.
I'll put in a test for tabs. I am disappointed that new software should
be using tabs as separators, however. They are confusing and lead to no
end of trouble in other places where they are used like this (Makefiles,
Sendmail configs, for example). See, for example, discussion in
http://www.cs.umd.edu/class/spring2002/cmsc214/Tutorial/makefile.html
(which I found with a quick Google). I personally think that all
whitespace characters should be treated as equal. You can't distinguish
tabs from spaces when they are displayed, and if you cut and paste text,
tabs can get lost.
--
Philip Hazel University of Cambridge Computing Service
Get the Exim 4 book: http://www.uit.co.uk/exim-book