29 May
2008
29 May
'08
6:19 p.m.
On Wed, 2008-05-28 at 15:40 -0700, David Jonas wrote:
I spoke too soon. Dovecot still complains about the invalid character. While testing I had forgotten to update to remove <space> from username_chars. I should have known really, since the invalid chars check is done before var_expand() in auth_request_fix_username().
Any other ideas? Adding <space> to the username_chars list doesn't seem like a security threat, but honestly I don't know much about that.
The default auth_username_chars contain only the ones that are commonly used. There should be no problems allowing most non-control characters. In future I'm going to fix also Dovecot's handling of control characters.