[Dovecot] Passing data safely in password_key?
Timo Sirainen
tss at iki.fi
Mon Aug 5 21:01:13 EEST 2013
On 2.8.2013, at 23.32, Attila Nagy <bra at fsn.hu> wrote:
> On 08/02/2013 02:32 PM, Timo Sirainen wrote:
>> On Mon, 2013-07-29 at 09:22 +0200, Attila Nagy wrote:
>>
>>> On 07/28/13 13:49, Attila Nagy wrote:
>>>
>>>> Hi,
>>>>
>>>> I would like to convert my custom POP/IMAP proxy to Dovecot's. In this
>>>> proxy I do more than giving back user name, password and the host and
>>>> I need extra information.
>>>> Luckily all of them are available as variables, but more than one
>>>> comes as user input (like user name and cleartext password) and I'm
>>>> not sure how to pass them safely.
>>>> Obviously I would need a separator, which is guaranteed not to show up
>>>> either in user name and the cleartext password.
>>>> Should I use escape (%E) here, or is there a better way?
>>>>
>>>>
>>> Just for the record, this is what I use currently:
>>> password_key = dovecot/passdb^MAuth-User: %u^MAuth-Pass:
>>> %w^MAuth-Protocol: %s^M
>>> Client-IP: %r^M
>>>
>> I have no idea what you're talking about. What is password_key? The
>> password that is being sent to the backend IMAP/POP3 server?
>>
>>
>>
> RTFM? ;)
>
> http://wiki2.dovecot.org/AuthDatabase/Dict?highlight=%28password_key%29
Ah, dict auth. Yeah, you need to escape the user-given username and password. They can both contain all characters, including CR and LF. (Although auth_username_chars by default disables all the bad chars.) Looks like %E is the only possibility currently. The %E escapes " \ and ' characters only. So you could for example use Auth-User: "%Eu" with quotes and make sure you handle the unescaping correctly. Or maybe you could just use \; or something as the separator since %E only gives you \" \\ and \'.
More information about the dovecot
mailing list