[dovecot-cvs] dovecot/src/imap-login client-authenticate.c, 1.13,
1.14
cras at procontrol.fi
cras at procontrol.fi
Sat May 1 22:09:37 EEST 2004
Update of /home/cvs/dovecot/src/imap-login
In directory talvi:/tmp/cvs-serv21630/imap-login
Modified Files:
client-authenticate.c
Log Message:
Don't advertise AUTH=PLAIN unless transport is secure
Index: client-authenticate.c
===================================================================
RCS file: /home/cvs/dovecot/src/imap-login/client-authenticate.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14
--- client-authenticate.c 25 Nov 2003 01:26:26 -0000 1.13
+++ client-authenticate.c 1 May 2004 19:09:34 -0000 1.14
@@ -34,10 +34,17 @@
str = t_str_new(128);
for (i = 0; i < AUTH_MECH_COUNT; i++) {
- if ((auth_mechs & auth_mech_desc[i].mech) &&
- auth_mech_desc[i].name != NULL &&
- (secured || !auth_mech_desc[i].plaintext ||
- !disable_plaintext_auth)) {
+ if ((auth_mechs & auth_mech_desc[i].mech) == 0)
+ continue; /* not available */
+
+ /* a) transport is secured
+ b) auth mechanism isn't plaintext
+ c) we allow insecure authentication
+ - but don't advertise AUTH=PLAIN, as RFC 2595 requires
+ */
+ if (secured || !auth_mech_desc[i].plaintext ||
+ (!disable_plaintext_auth &&
+ auth_mech_desc[i].mech != AUTH_MECH_PLAIN)) {
str_append_c(str, ' ');
str_append(str, "AUTH=");
str_append(str, auth_mech_desc[i].name);
More information about the dovecot-cvs
mailing list