bug in processing passwords with backslash in mail/imap proxy code
Дениска-редиска
slim at inbox.lv
Wed Apr 6 17:09:30 UTC 2016
for note, the client is saslauthd from cyrus-sasl package running with -a rimap
Цитирование Maxim Dounin <mdounin at mdounin.ru> :
> Hello!
> On Wed, Apr 06, 2016 at 06:32:25PM +0300, Дениска-редиска wrote:
> > Hello,
> >
> > looks like there is a bug in nginx 1.8.1 in mail proxy code which used for authorization:
> > backslash becomes stripped from password when quoted in imap command:
> >
> > * OK IMAP4 ready
> > p LOGIN "testdev" ",\REz=#tPc"
> > p NO Invalid login or password
> This should be "p BAD Syntax error", but nginx doesn't care to
> check syntax so strictly and allows any character after a
> backslash.
> Quoting RFC 3501, http://tools.ietf.org/html/rfc3501#section-9:
> : quoted = DQUOTE *QUOTED-CHAR DQUOTE
> :
> : QUOTED-CHAR = <any TEXT-CHAR except quoted-specials> /
> : "\" quoted-specials
> :
> : quoted-specials = DQUOTE / "\"
> In summary: fix the client.
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list