Hi,
I use pass and userdb with dict protocol in a similar way:
key passdb {
key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol:
%s^MClient-IP: %r
format = json
}
(^M is an \r character, inserted with vi CTRL-v + enter)
Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII 13
into an ASCII 1 and an "r".
Python printout from what I get with 2.2.25:
'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass:
pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4'
Is this change intentional? Why?
On 29.07.2016 15:35, Nagy, Attila wrote:> Hi, > > I use pass and userdb with dict protocol in a similar way: > > key passdb { > key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: > %s^MClient-IP: %r > format = json > } > > (^M is an \r character, inserted with vi CTRL-v + enter) > > Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII > 13 into an ASCII 1 and an "r". > > Python printout from what I get with 2.2.25: > > 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass: > pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4' > > Is this change intentional? Why?Hi! Dict protocol escapes you newlines. You are expected to de-escape them yourself. Following escapes are done, you can de-escape them with your client. \x00 => \x10 \x01 => \x11 \t => \x1t \r => \x1r \n => \x1n The change has been made to avoid breakage if newlines or NULLs are injected into the data. Aki
On 09/23/2016 08:05 AM, Aki Tuomi wrote:> On 29.07.2016 15:35, Nagy, Attila wrote: >> I use pass and userdb with dict protocol in a similar way: >> >> key passdb { >> key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: >> %s^MClient-IP: %r >> format = json >> } >> >> (^M is an \r character, inserted with vi CTRL-v + enter) >> >> Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII >> 13 into an ASCII 1 and an "r". >> >> Python printout from what I get with 2.2.25: >> >> 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass: >> pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4' >> >> Is this change intentional? Why? > Hi! > > Dict protocol escapes you newlines. You are expected to de-escape them > yourself. > > Following escapes are done, you can de-escape them with your client. > > \x00 => \x10 > \x01 => \x11 > \t => \x1t > \r => \x1r > \n => \x1n > >Following up on this: dovecot 2.2.27 and 2.2.28 goes even further (2.2.25 was OK). If a user specifies a password with a % in it, dovecot silently truncates it. So for example if I specify (just to check this simple example is also bad): key passdb { key = %w format = json } and a user tries to log in with the password 'Lofasznehogyma%', dovecot sends the following into the dict socket: 'Lshared/Lofasznehogyma' According to user reports, other characters may also be affected. Could you please fix this?