Hi, On 03/13/2017 09:25 AM, Aki Tuomi wrote:
On 28.02.2017 17:59, Nagy, Attila wrote:
On 09/23/2016 08:05 AM, Aki Tuomi wrote:
On 29.07.2016 15:35, Nagy, Attila wrote:
I use pass and userdb with dict protocol in a similar way:
key passdb { key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: %s^MClient-IP: %r format = json }
(^M is an \r character, inserted with vi CTRL-v + enter)
Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII 13 into an ASCII 1 and an "r".
Python printout from what I get with 2.2.25:
'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass: pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4'
Is this change intentional? Why? Hi!
Dict protocol escapes you newlines. You are expected to de-escape them yourself.
Following escapes are done, you can de-escape them with your client.
\x00 => \x10 \x01 => \x11 \t => \x1t \r => \x1r \n => \x1n
Following up on this: dovecot 2.2.27 and 2.2.28 goes even further (2.2.25 was OK). If a user specifies a password with a % in it, dovecot silently truncates it. So for example if I specify (just to check this simple example is also bad): key passdb { key = %w format = json }
and a user tries to log in with the password 'Lofasznehogyma%', dovecot sends the following into the dict socket: 'Lshared/Lofasznehogyma'
According to user reports, other characters may also be affected.
Could you please fix this? Hi!
Can you try this?
https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42...
Aki
I use 2.2.28, so I've actually tried this: --- work/dovecot-2.2.28/src/auth/db-dict.c 2017-03-13 13:47:09.406931000 +0100 +++ work/dovecot-2.2.28/src/auth/db-dict.c.orig 2017-03-13 13:45:47.903461000 +0100 @@ -408,7 +408,7 @@ continue; str_truncate(path, strlen(DICT_PATH_SHARED)); - str_append(path, key->key->key); + var_expand(path, key->key->key, iter->var_expand_table); ret = dict_lookup(iter->conn->dict, iter->pool, str_c(path), &key->value); if (ret > 0) { So far it looks ok. Thanks,