On 09/23/2016 08:05 AM, Aki Tuomi wrote:> On 29.07.2016 15:35, Nagy, Attila wrote: >> I use pass and userdb with dict protocol in a similar way: >> >> key passdb { >> key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: >> %s^MClient-IP: %r >> format = json >> } >> >> (^M is an \r character, inserted with vi CTRL-v + enter) >> >> Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII >> 13 into an ASCII 1 and an "r". >> >> Python printout from what I get with 2.2.25: >> >> 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass: >> pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4' >> >> Is this change intentional? Why? > Hi! > > Dict protocol escapes you newlines. You are expected to de-escape them > yourself. > > Following escapes are done, you can de-escape them with your client. > > \x00 => \x10 > \x01 => \x11 > \t => \x1t > \r => \x1r > \n => \x1n > >Following up on this: dovecot 2.2.27 and 2.2.28 goes even further (2.2.25 was OK). If a user specifies a password with a % in it, dovecot silently truncates it. So for example if I specify (just to check this simple example is also bad): key passdb { key = %w format = json } and a user tries to log in with the password 'Lofasznehogyma%', dovecot sends the following into the dict socket: 'Lshared/Lofasznehogyma' According to user reports, other characters may also be affected. Could you please fix this?
On 28.02.2017 17:59, Nagy, Attila wrote:> On 09/23/2016 08:05 AM, Aki Tuomi wrote: >> On 29.07.2016 15:35, Nagy, Attila wrote: >>> I use pass and userdb with dict protocol in a similar way: >>> >>> key passdb { >>> key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: >>> %s^MClient-IP: %r >>> format = json >>> } >>> >>> (^M is an \r character, inserted with vi CTRL-v + enter) >>> >>> Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII >>> 13 into an ASCII 1 and an "r". >>> >>> Python printout from what I get with 2.2.25: >>> >>> 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass: >>> pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4' >>> >>> Is this change intentional? Why? >> Hi! >> >> Dict protocol escapes you newlines. You are expected to de-escape them >> yourself. >> >> Following escapes are done, you can de-escape them with your client. >> >> \x00 => \x10 >> \x01 => \x11 >> \t => \x1t >> \r => \x1r >> \n => \x1n >> >> > Following up on this: dovecot 2.2.27 and 2.2.28 goes even further > (2.2.25 was OK). > If a user specifies a password with a % in it, dovecot silently > truncates it. > So for example if I specify (just to check this simple example is also > bad): > key passdb { > key = %w > format = json > } > > and a user tries to log in with the password 'Lofasznehogyma%', > dovecot sends the following into the dict socket: > 'Lshared/Lofasznehogyma' > > According to user reports, other characters may also be affected. > > Could you please fix this?Hi! Can you try this? https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch Aki
Hi, On 03/13/2017 09:25 AM, Aki Tuomi wrote:> > On 28.02.2017 17:59, Nagy, Attila wrote: >> On 09/23/2016 08:05 AM, Aki Tuomi wrote: >>> On 29.07.2016 15:35, Nagy, Attila wrote: >>>> I use pass and userdb with dict protocol in a similar way: >>>> >>>> key passdb { >>>> key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: >>>> %s^MClient-IP: %r >>>> format = json >>>> } >>>> >>>> (^M is an \r character, inserted with vi CTRL-v + enter) >>>> >>>> Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII >>>> 13 into an ASCII 1 and an "r". >>>> >>>> Python printout from what I get with 2.2.25: >>>> >>>> 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass: >>>> pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4' >>>> >>>> Is this change intentional? Why? >>> Hi! >>> >>> Dict protocol escapes you newlines. You are expected to de-escape them >>> yourself. >>> >>> Following escapes are done, you can de-escape them with your client. >>> >>> \x00 => \x10 >>> \x01 => \x11 >>> \t => \x1t >>> \r => \x1r >>> \n => \x1n >>> >>> >> Following up on this: dovecot 2.2.27 and 2.2.28 goes even further >> (2.2.25 was OK). >> If a user specifies a password with a % in it, dovecot silently >> truncates it. >> So for example if I specify (just to check this simple example is also >> bad): >> key passdb { >> key = %w >> format = json >> } >> >> and a user tries to log in with the password 'Lofasznehogyma%', >> dovecot sends the following into the dict socket: >> 'Lshared/Lofasznehogyma' >> >> According to user reports, other characters may also be affected. >> >> Could you please fix this? > Hi! > > Can you try this? > > https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch > > AkiI use 2.2.28, so I've actually tried this: --- work/dovecot-2.2.28/src/auth/db-dict.c 2017-03-13 13:47:09.406931000 +0100 +++ work/dovecot-2.2.28/src/auth/db-dict.c.orig 2017-03-13 13:45:47.903461000 +0100 @@ -408,7 +408,7 @@ continue; str_truncate(path, strlen(DICT_PATH_SHARED)); - str_append(path, key->key->key); + var_expand(path, key->key->key, iter->var_expand_table); ret = dict_lookup(iter->conn->dict, iter->pool, str_c(path), &key->value); if (ret > 0) { So far it looks ok. Thanks,