bug in processing passwords with backslash in mail/imap proxy code
Дениска-редиска
slim at inbox.lv
Wed Apr 6 15:32:25 UTC 2016
Hello,
looks like there is a bug in nginx 1.8.1 in mail proxy code which used for authorization:
backslash becomes stripped from password when quoted in imap command:
* OK IMAP4 ready
p LOGIN "testdev" ",\REz=#tPc"
p NO Invalid login or password
p LOGIN "testdev" ,\REz=#tPc
p OK [CAPABILITY.....
auth_http gets following:
GET /auth HTTP/1.0
Host: 127.0.0.1
Auth-Method: plain
Auth-User: testdev
Auth-Pass: ,REz=#tPc
Auth-Protocol: imap
and
GET /auth HTTP/1.0
Host: 127.0.0.1
Auth-Method: plain
Auth-User: testdev
Auth-Pass: ,\REz=#tPc
Auth-Protocol: imap
respectivelly
nginx conf is as following:
mail {
server {
listen 127.0.0.1:143;
server_name mail.example.com;
auth_http 127.0.0.1:900/auth;
protocol imap;
proxy on;
}
}
More information about the nginx
mailing list