[Dovecot] Passing data safely in password_key?

Timo Sirainen tss at iki.fi
Mon Aug 5 21:01:13 EEST 2013


On 2.8.2013, at 23.32, Attila Nagy <bra at fsn.hu> wrote:

> On 08/02/2013 02:32 PM, Timo Sirainen wrote:
>> On Mon, 2013-07-29 at 09:22 +0200, Attila Nagy wrote:
>> 
>>> On 07/28/13 13:49, Attila Nagy wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I would like to convert my custom POP/IMAP proxy to Dovecot's. In this 
>>>> proxy I do more than giving back user name, password and the host and 
>>>> I need extra information.
>>>> Luckily all of them are available as variables, but more than one 
>>>> comes as user input (like user name and cleartext password) and I'm 
>>>> not sure how to pass them safely.
>>>> Obviously I would need a separator, which is guaranteed not to show up 
>>>> either in user name and the cleartext password.
>>>> Should I use escape (%E) here, or is there a better way?
>>>> 
>>>> 
>>> Just for the record, this is what I use currently:
>>> password_key = dovecot/passdb^MAuth-User: %u^MAuth-Pass: 
>>> %w^MAuth-Protocol: %s^M
>>> Client-IP: %r^M
>>> 
>> I have no idea what you're talking about. What is password_key? The
>> password that is being sent to the backend IMAP/POP3 server?
>> 
>> 
>> 
> RTFM? ;)
> 
> http://wiki2.dovecot.org/AuthDatabase/Dict?highlight=%28password_key%29

Ah, dict auth. Yeah, you need to escape the user-given username and password. They can both contain all characters, including CR and LF. (Although auth_username_chars by default disables all the bad chars.) Looks like %E is the only possibility currently. The %E escapes " \ and ' characters only. So you could for example use Auth-User: "%Eu" with quotes and make sure you handle the unescaping correctly. Or maybe you could just use \; or something as the separator since %E only gives you \" \\ and \'.



More information about the dovecot mailing list