[Dovecot] where are variables expanded? Was: %d does not expand to domain

Giuliano Gavazzi dev+lists at humph.com
Thu Apr 30 12:51:48 EEST 2009


On W 29 Apr, 2009, at 22:21 , Giuliano Gavazzi wrote:

> I am trying to patch the source so that the %d expansion variable  
> uses original_username (instead of user I suppose) of auth_request,  
> but I cannot find where this expansion is done..
> Pointers?
>
> Thanks
> Giuliano

I thought it was in auth_request_get_var_expand_table, and changed thus:

//GG    tab[2].value = strchr(auth_request->user, '@');
         tab[2].value = strchr(auth_request->original_username,  
'@'); //GG test to keep domain

but this makes no difference (well, not in the expansion for  
mail_location).

I found other places where var_expand_table is set (easy, as you  
always use tab as a local variable), but as they were not passed  
auth_request it was not possible to get the original_username.
I think I can see a reason behind this: ignoring the domain passed  
when authenticating means that the domain part has not been checked  
and thus its use unwarranted. In the case of system users this would  
pose no threat, but for virtual users it might, in principle, allow an  
unauthorised access to other maildirs.

Giuliano


More information about the dovecot mailing list