bug in processing passwords with backslash in mail/imap proxy code
mdounin at mdounin.ru
Wed Apr 6 15:59:26 UTC 2016
On Wed, Apr 06, 2016 at 06:32:25PM +0300, Дениска-редиска wrote:
> looks like there is a bug in nginx 1.8.1 in mail proxy code which used for authorization:
> backslash becomes stripped from password when quoted in imap command:
> * OK IMAP4 ready
> p LOGIN "testdev" ",\REz=#tPc"
> p NO Invalid login or password
This should be "p BAD Syntax error", but nginx doesn't care to
check syntax so strictly and allows any character after a
Quoting RFC 3501, http://tools.ietf.org/html/rfc3501#section-9:
: quoted = DQUOTE *QUOTED-CHAR DQUOTE
: QUOTED-CHAR = <any TEXT-CHAR except quoted-specials> /
: "\" quoted-specials
: quoted-specials = DQUOTE / "\"
In summary: fix the client.
More information about the nginx