[Dovecot] Dovecot's MySQL authentication driver

Timo Sirainen tss at iki.fi
Thu Nov 16 15:20:59 UTC 2006


On Thu, 2006-11-16 at 09:41 +0100, guard wrote:
> auth_username_chars = 
> abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
> is set, and default_pass_scheme won't be PLAIN we are secure against sql 
> injection. Right?

Right.

> I have also found %E varible - escape '"', "'" and '\' characters by 
> inserting '\' before them, but how can I use it for escape characters
> from %u?

Don't. All the %vars are properly escaped when used in pass_query and
user_query. I'm not sure what happens if you use %E, at best it just
adds extra '\' and at worst it would cause SQL injection hole
possibilities.

They're also escaped properly in LDAP queries.

If Dovecot didn't do these, it really shouldn't deserve to be advertised
as "Secure IMAP server" :P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20061116/4873fa38/attachment.pgp 


More information about the dovecot mailing list