Mercurial > dovecot > original-hg > dovecot-1.0
changeset 5538:da2a9372e26e branch_1_0
If trying to log in with password having illegal characters, make sure we
fail early.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 09 Mar 2008 12:45:19 +0200 |
parents | 6a1792255faf |
children | 40995e52c57b |
files | src/auth/auth-request.c |
diffstat | 1 files changed, 25 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request.c Sun Mar 09 12:36:55 2008 +0200 +++ b/src/auth/auth-request.c Sun Mar 09 12:45:19 2008 +0200 @@ -414,6 +414,23 @@ auth_request_verify_plain_callback_finish(result, request); } +static bool password_has_illegal_chars(const char *password) +{ + for (; *password != '\0'; password++) { + switch (*password) { + case '\001': + case '\t': + case '\r': + case '\n': + /* these characters have a special meaning in internal + protocols, make sure the password doesn't + accidentally get there unescaped. */ + return TRUE; + } + } + return FALSE; +} + void auth_request_verify_plain(struct auth_request *request, const char *password, verify_plain_callback_t *callback) @@ -431,7 +448,14 @@ "Attempted master login with no master passdbs"); callback(PASSDB_RESULT_USER_UNKNOWN, request); return; - } + } + + if (password_has_illegal_chars(password)) { + auth_request_log_info(request, "passdb", + "Attempted login with password having illegal chars"); + callback(PASSDB_RESULT_USER_UNKNOWN, request); + return; + } passdb = request->passdb->passdb; if (request->mech_password == NULL)