[Dovecot] Dovecot's MySQL authentication driver
tss at iki.fi
Thu Nov 16 15:20:59 UTC 2006
On Thu, 2006-11-16 at 09:41 +0100, guard wrote:
> auth_username_chars =
> is set, and default_pass_scheme won't be PLAIN we are secure against sql
> injection. Right?
> I have also found %E varible - escape '"', "'" and '\' characters by
> inserting '\' before them, but how can I use it for escape characters
> from %u?
Don't. All the %vars are properly escaped when used in pass_query and
user_query. I'm not sure what happens if you use %E, at best it just
adds extra '\' and at worst it would cause SQL injection hole
They're also escaped properly in LDAP queries.
If Dovecot didn't do these, it really shouldn't deserve to be advertised
as "Secure IMAP server" :P
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20061116/4873fa38/attachment.pgp
More information about the dovecot