[Dovecot] Bug in driver-mysql.c + fix

Timo Sirainen tss at iki.fi
Sat Mar 13 23:50:15 EET 2010


On Wed, 2010-03-10 at 17:03 +0000, Alain Williams wrote:
> > The problem with doing that is that 1) it's not normally necessary and
> > more importantly 2) doing that makes any potential SQL injection
> > security holes a lot easier to exploit. So I'm not all that eager in
> > adding such code, especially if it can be worked around another way..
> 
> CLIENT_MULTI_STATEMENTS allows multiple statements in one call (you separate by ',').
> CLIENT_MULTI_RESULTS does not imply CLIENT_MULTI_STATEMENTS.
> Is this what you were concerned about ?

Yeah, I mixed up MULTI_STATEMENTS and MULTI_RESULTS. So I can enable the
MULTI_RESULTS I guess..

I committed your patch, but with some changes. In error conditions it
would have leaked memory.
http://hg.dovecot.org/dovecot-2.0/rev/612db456c090

> That is not how I store passwords - I keep them as DIGEST-MD5, this is:
> 	md5('username:domain:password')
> So I want %o to be that value. Squirrelmail should be able to deduce that from
> the line in the dovecot-sql.conf:
> 	default_pass_scheme="DIGEST-MD5"

Well, yeah.. That would be possible to implement. But not a very good
idea to waste everyone's CPU by calculating that checksum for each
lookup, when you're the only one using it. So it should be a var-expand
modified instead of variable, so you could then use e.g. %Sw that
expands to %w through default_pass_scheme (and only when it's used).

The problem is, var-expand code doesn't currently support adding more
modifiers. So its API would need to be changed.

> I am trying to find a definition of the API to plugins, ...

There are many kinds of plugins, but none really seem to fit what you
wanted to do below.

> if the SQL stored procedure can return arbitrary variables that can then be used
> by PHP plugins then I can do things like issuing a warning about the password
> about to expire, number of failed login attempts since the last success, ...
> Ie all sorts of things that the authentication stored procedures could store
> and manage.

One possibility would be to return 'reason' string from password_query
for failures, which contains all of the information you want to know.
And if you don't want it to be visible to non-webmail clients, you could
return it only when '%r'='127.0.0.1'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20100313/930d6b0d/attachment.bin 


More information about the dovecot mailing list