[dovecot-cvs] dovecot/doc auth-protocol.txt,1.6,1.7
tss at dovecot.org
tss at dovecot.org
Sun Oct 15 16:52:30 UTC 2006
Update of /var/lib/cvs/dovecot/doc
In directory talvi:/tmp/cvs-serv22135/doc
Modified Files:
auth-protocol.txt
Log Message:
Require that the "resp" parameter for AUTH command is the last.
Index: auth-protocol.txt
===================================================================
RCS file: /var/lib/cvs/dovecot/doc/auth-protocol.txt,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- auth-protocol.txt 7 Mar 2006 14:10:36 -0000 1.6
+++ auth-protocol.txt 15 Oct 2006 15:52:25 -0000 1.7
@@ -100,10 +100,14 @@
- lip=<local ip> : Local IP - in standard string format,
- rip=<remote ip> : Remote IP - ie. for IPv4 127.0.0.1 and for IPv6 ::1
- - resp=<base64> : Initial response for authentication mechanism
- secured : Remote user has secured transport to auth client
(eg. localhost, SSL, TLS)
- valid-client-cert : Remote user has presented a valid SSL certificate.
+ - resp=<base64> : Initial response for authentication mechanism.
+ NOTE: This must be the last parameter. Everything
+ after it is ignored. This is to avoid accidental
+ security holes if user-given data is directly put to
+ base64 string without filtering out tabs.
FAIL parameters may contain "reason=.." parameter which should be sent to
remote user instead of a standard "Authentication failed" message. For
More information about the dovecot-cvs
mailing list