Hi,
just cleaning the config file, and I found:
# List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
Aaaaaaaaagur.
El Lunes, 29 de Enero de 2007 23:29, Jochen Schulz escribió:
Hi,
on my way home today I thought a little bit about my setup which involves user and password lookups in an SQL database (Postgres). I asked myself whether I need to do anything to prevent SQL injection via forged user or domainnames.
In the wiki I didn't find anything specific, only http://wiki.dovecot.org/Variables which mentions that there is the %E modifier which escapes single quites and backslashes. This appears to be a good idea but I am asking myself whether I need to do this since it is not mentioned anywhere. Is anybody able to comment on this?
And BTW, it appears that one can use several modifiers at once. This is only implicitly mentioned in the wiki (You can apply modifier*s*), but it appears to work.
J.
-- Joseba Torre. CIDIR Bizkaia.