Mercurial > dovecot > original-hg > dovecot-1.0

changeset 5538:da2a9372e26e branch_1_0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
If trying to log in with password having illegal characters, make sure we fail early.
author Timo Sirainen <tss@iki.fi>
date Sun, 09 Mar 2008 12:45:19 +0200
parents 6a1792255faf
children 40995e52c57b
files src/auth/auth-request.c
diffstat 1 files changed, 25 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/auth-request.c	Sun Mar 09 12:36:55 2008 +0200
+++ b/src/auth/auth-request.c	Sun Mar 09 12:45:19 2008 +0200
@@ -414,6 +414,23 @@
 	auth_request_verify_plain_callback_finish(result, request);
 }
 
+static bool password_has_illegal_chars(const char *password)
+{
+	for (; *password != '\0'; password++) {
+		switch (*password) {
+		case '\001':
+		case '\t':
+		case '\r':
+		case '\n':
+			/* these characters have a special meaning in internal
+			   protocols, make sure the password doesn't
+			   accidentally get there unescaped. */
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
 void auth_request_verify_plain(struct auth_request *request,
 			       const char *password,
 			       verify_plain_callback_t *callback)
@@ -431,7 +448,14 @@
 			"Attempted master login with no master passdbs");
 		callback(PASSDB_RESULT_USER_UNKNOWN, request);
 		return;
-        }
+	}
+
+	if (password_has_illegal_chars(password)) {
+		auth_request_log_info(request, "passdb",
+			"Attempted login with password having illegal chars");
+		callback(PASSDB_RESULT_USER_UNKNOWN, request);
+		return;
+	}
 
         passdb = request->passdb->passdb;
 	if (request->mech_password == NULL)