[dovecot-cvs] dovecot/doc auth-protocol.txt,1.6,1.6.2.1

tss at dovecot.org tss at dovecot.org
Sun Oct 15 16:52:56 UTC 2006


Update of /var/lib/cvs/dovecot/doc
In directory talvi:/tmp/cvs-serv22139/doc

Modified Files:
      Tag: branch_1_0
	auth-protocol.txt 
Log Message:
Require that the "resp" parameter for AUTH command is the last.



Index: auth-protocol.txt
===================================================================
RCS file: /var/lib/cvs/dovecot/doc/auth-protocol.txt,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -d -r1.6 -r1.6.2.1
--- auth-protocol.txt	7 Mar 2006 14:10:36 -0000	1.6
+++ auth-protocol.txt	15 Oct 2006 15:52:24 -0000	1.6.2.1
@@ -100,10 +100,14 @@
 
  - lip=<local ip>    : Local IP  - in standard string format,
  - rip=<remote ip>   : Remote IP - ie. for IPv4 127.0.0.1 and for IPv6 ::1
- - resp=<base64>     : Initial response for authentication mechanism
  - secured           : Remote user has secured transport to auth client
                        (eg. localhost, SSL, TLS)
  - valid-client-cert : Remote user has presented a valid SSL certificate.
+ - resp=<base64>     : Initial response for authentication mechanism.
+                       NOTE: This must be the last parameter. Everything
+		       after it is ignored. This is to avoid accidental
+		       security holes if user-given data is directly put to
+		       base64 string without filtering out tabs.
 
 FAIL parameters may contain "reason=.." parameter which should be sent to
 remote user instead of a standard "Authentication failed" message. For



More information about the dovecot-cvs mailing list