dovecot-2.2: auth: The mechanisms configured using the auth_mech...

dovecot at dovecot.org dovecot at dovecot.org
Sun Sep 20 18:51:19 UTC 2015 

details:   http://hg.dovecot.org/dovecot-2.2/rev/d482a8097362
changeset: 19157:d482a8097362
user:      Stephan Bosch <stephan at rename-it.nl>
date:      Sun Sep 20 21:49:51 2015 +0300
description:
auth: The mechanisms configured using the auth_mechanisms setting were not enforced.
The login service would check whether the mechanism is supported by auth,
but auth performed no such check of its own. This means that any
implemented mechanism was accessible from a login, even though was
presumably disabled.

diffstat:

 src/auth/auth-request-handler.c |   5 +++--
 src/auth/mech.c                 |  12 ++++++++++++
 src/auth/mech.h                 |   2 ++
 3 files changed, 17 insertions(+), 2 deletions(-)

diffs (49 lines):

diff -r 4f4243794ba1 -r d482a8097362 src/auth/auth-request-handler.c
--- a/src/auth/auth-request-handler.c	Sun Sep 20 01:04:50 2015 +0300
+++ b/src/auth/auth-request-handler.c	Sun Sep 20 21:49:51 2015 +0300
@@ -475,8 +475,9 @@
 				handler->client_pid, str_sanitize(list[1], MAX_MECH_NAME_LEN));
 			return FALSE;
 		}
-	} else {		 
-		mech = mech_module_find(list[1]);
+	} else {
+		struct auth *auth_default = auth_default_service();
+		mech = mech_register_find(auth_default->reg, list[1]);
 		if (mech == NULL) {
 			/* unsupported mechanism */
 			i_error("BUG: Authentication client %u requested unsupported "
diff -r 4f4243794ba1 -r d482a8097362 src/auth/mech.c
--- a/src/auth/mech.c	Sun Sep 20 01:04:50 2015 +0300
+++ b/src/auth/mech.c	Sun Sep 20 21:49:51 2015 +0300
@@ -175,6 +175,18 @@
 	pool_unref(&reg->pool);
 }
 
+const struct mech_module *
+mech_register_find(const struct mechanisms_register *reg, const char *name)
+{
+	const struct mech_module_list *list;
+
+	for (list = reg->modules; list != NULL; list = list->next) {
+		if (strcasecmp(list->module.mech_name, name) == 0)
+			return &list->module;
+	}
+	return NULL;
+}
+
 void mech_init(const struct auth_settings *set)
 {
 	mech_register_module(&mech_plain);
diff -r 4f4243794ba1 -r d482a8097362 src/auth/mech.h
--- a/src/auth/mech.h	Sun Sep 20 01:04:50 2015 +0300
+++ b/src/auth/mech.h	Sun Sep 20 21:49:51 2015 +0300
@@ -68,6 +68,8 @@
 struct mechanisms_register *
 mech_register_init(const struct auth_settings *set);
 void mech_register_deinit(struct mechanisms_register **reg);
+const struct mech_module *
+mech_register_find(const struct mechanisms_register *reg, const char *name);
 
 void mech_init(const struct auth_settings *set);
 void mech_deinit(const struct auth_settings *set);

More information about the dovecot-cvs mailing list