Dict protocol changes string

Aki Tuomi aki.tuomi at dovecot.fi
Mon Mar 13 08:25:35 UTC 2017



On 28.02.2017 17:59, Nagy, Attila wrote:
> On 09/23/2016 08:05 AM, Aki Tuomi wrote:
>> On 29.07.2016 15:35, Nagy, Attila wrote:
>>> I use pass and userdb with dict protocol in a similar way:
>>>
>>> key passdb {
>>>    key = passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol:
>>> %s^MClient-IP: %r
>>>    format = json
>>> }
>>>
>>> (^M is an \r character, inserted with vi CTRL-v + enter)
>>>
>>> Until 2.2.24 this has worked, but 2.2.25 seems to convert that ASCII
>>> 13 into an ASCII 1 and an "r".
>>>
>>> Python printout from what I get with 2.2.25:
>>>
>>> 'Lshared/passdb\x01rAuth-User: user\x01rAuth-Pass:
>>> pass\x01rAuth-Protocol: pop3\x01rClient-IP: 1.2.3.4'
>>>
>>> Is this change intentional? Why?
>> Hi!
>>
>> Dict protocol escapes you newlines. You are expected to de-escape them
>> yourself.
>>
>> Following escapes are done, you can de-escape them with your client.
>>
>> \x00 => \x10
>> \x01 => \x11
>> \t => \x1t
>> \r => \x1r
>> \n => \x1n
>>
>>
> Following up on this: dovecot 2.2.27 and 2.2.28 goes even further
> (2.2.25 was OK).
> If a user specifies a password with a % in it, dovecot silently
> truncates it.
> So for example if I specify (just to check this simple example is also
> bad):
> key passdb {
>   key = %w
>   format = json
> }
>
> and a user tries to log in with the password 'Lofasznehogyma%',
> dovecot sends the following into the dict socket:
> 'Lshared/Lofasznehogyma'
>
> According to user reports, other characters may also be affected.
>
> Could you please fix this?

Hi!

Can you try this?

https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735.patch

Aki


More information about the dovecot mailing list