dovecot-2.2: lib-imap: imap-url: Forgot to check for the presenc...
dovecot at dovecot.org
dovecot at dovecot.org
Tue Sep 17 21:58:06 EEST 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/6be5d8d8af2d
changeset: 16760:6be5d8d8af2d
user: Stephan Bosch <stephan at rename-it.nl>
date: Tue Sep 17 21:57:14 2013 +0300
description:
lib-imap: imap-url: Forgot to check for the presence of ':' in userinfo, which is not allowed.
diffstat:
src/lib-imap/imap-url.c | 41 ++++++++++++++++++++++++++++-------------
src/lib-imap/test-imap-url.c | 5 +++++
2 files changed, 33 insertions(+), 13 deletions(-)
diffs (99 lines):
diff -r be26ae8a9fca -r 6be5d8d8af2d src/lib-imap/imap-url.c
--- a/src/lib-imap/imap-url.c Mon Sep 16 10:05:24 2013 +0300
+++ b/src/lib-imap/imap-url.c Tue Sep 17 21:57:14 2013 +0300
@@ -226,34 +226,49 @@
/* iuserinfo = enc-user [iauth] / [enc-user] iauth */
if (auth.enc_userinfo != NULL) {
- const char *p;
+ const char *p, *uend;
/* Scan for ";AUTH=" */
- p = strchr(auth.enc_userinfo, ';');
- if (p != NULL) {
- if (strncasecmp(p, ";AUTH=",6) != 0) {
+ for (p = auth.enc_userinfo; *p != '\0'; p++) {
+ if (*p == ';')
+ break;
+ /* check for unallowed userinfo characters */
+ if (*p == ':') {
+ parser->error = t_strdup_printf(
+ "Stray ':' in userinfo `%s'", auth.enc_userinfo);
+ return -1;
+ }
+ }
+
+ uend = p;
+
+ if (*p == ';') {
+ if (strncasecmp(p, ";AUTH=", 6) != 0) {
parser->error = t_strdup_printf(
"Stray ';' in userinfo `%s'",
auth.enc_userinfo);
return -1;
}
- if (strchr(p+1, ';') != NULL) {
- parser->error = "Stray ';' after `;AUTH='";
- return -1;
+ for (p += 6; *p != '\0'; p++) {
+ if (*p == ';' || *p == ':') {
+ parser->error = t_strdup_printf(
+ "Stray '%c' in userinfo `%s'", *p, auth.enc_userinfo);
+ return -1;
+ }
}
}
/* enc-user */
- if (url != NULL && p != auth.enc_userinfo) {
- if (!uri_data_decode(parser, auth.enc_userinfo, p, &data))
+ if (url != NULL && uend > auth.enc_userinfo) {
+ if (!uri_data_decode(parser, auth.enc_userinfo, uend, &data))
return -1;
url->userid = p_strdup(parser->pool, data);
}
/* ( "*" / enc-auth-type ) */
- if (p != NULL) {
- p += 6;
+ if (*uend == ';') {
+ p = uend + 6;
if (*p == '\0') {
parser->error = "Empty auth-type value after ';AUTH='";
return -1;
@@ -989,10 +1004,10 @@
/* user */
if (url->userid != NULL || url->auth_type != NULL) {
if (url->userid != NULL)
- uri_append_user_data(urlstr, ";", url->userid);
+ uri_append_user_data(urlstr, ";:", url->userid);
if (url->auth_type != NULL) {
str_append(urlstr, ";AUTH=");
- uri_append_user_data(urlstr, ";", url->auth_type);
+ uri_append_user_data(urlstr, ";:", url->auth_type);
}
str_append_c(urlstr, '@');
}
diff -r be26ae8a9fca -r 6be5d8d8af2d src/lib-imap/test-imap-url.c
--- a/src/lib-imap/test-imap-url.c Mon Sep 16 10:05:24 2013 +0300
+++ b/src/lib-imap/test-imap-url.c Tue Sep 17 21:57:14 2013 +0300
@@ -759,6 +759,10 @@
},{
.url = "imap://user;AUTH=@example.com"
},{
+ .url = "imap://user:password@example.com"
+ },{
+ .url = "imap://user;AUTH=A:B@example.com"
+ },{
.url = "imap://user%@example.com"
},{
.url = "imap://user%00@example.com"
@@ -903,6 +907,7 @@
#endif
"imap://user@host.example.com/",
"imap://user@host.example.com:993/",
+ "imap://su%3auser@host.example.com/",
"imap://user;AUTH=PLAIN@host.example.com/",
"imap://user;AUTH=PLAIN@host.example.com/INBOX",
"imap://user;AUTH=PLAIN@host.example.com/INBOX/;UID=5",
More information about the dovecot-cvs
mailing list