[Dovecot] Dovecot's MySQL authentication driver
guard
guard at uptime.pl
Thu Nov 16 08:41:16 UTC 2006
On Thu, 16 Nov 2006, Robin Elfrink wrote:
> Egbert Jan wrote:
>
>> I've taken this even further: I have separate 'users' for postfix,
>> postfixadmin (web frontend for virtual users/domains) and dovecot. Each
>> *might* need specific rights.
>
>
> Using restricted user rights and chroots and what not does not prevent
> SQL injection in any way.
Indeed.
But until
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
is set, and default_pass_scheme won't be PLAIN we are secure against sql
injection. Right?
I have also found %E varible - escape '"', "'" and '\' characters by
inserting '\' before them, but how can I use it for escape characters
from %u?
Best Regards.
More information about the dovecot
mailing list