16 Nov
2006
16 Nov
'06
5:20 p.m.
On Thu, 2006-11-16 at 09:41 +0100, guard wrote:
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ is set, and default_pass_scheme won't be PLAIN we are secure against sql injection. Right?
Right.
I have also found %E varible - escape '"', "'" and '\' characters by inserting '\' before them, but how can I use it for escape characters from %u?
Don't. All the %vars are properly escaped when used in pass_query and user_query. I'm not sure what happens if you use %E, at best it just adds extra '\' and at worst it would cause SQL injection hole possibilities.
They're also escaped properly in LDAP queries.
If Dovecot didn't do these, it really shouldn't deserve to be advertised as "Secure IMAP server" :P