Re: truncated mech names are accepted - a bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 14/03/2014 14:42, Petr Lautrbach wrote:
Hi Petr,
A server with this configuration:
mech_list: A

shows 'ANONYMOUS' in available mechanisms.

It's due to the fact that _sasl_is_equal_mech() compares plug_mech only with the first strlen(req_mech) characters of plug_mech:
lib/common.c:2431:    return (strncasecmp(req_mech, plug_mech, n) == 0);

where n is (usually) an equivalent of strlen(req_mech)

For ANONYMOUS, it means that any string from the following set of
Actually, the way code is structured, all prefixes up to 4 characters will match and the rest will not. Which is probably worse from the consistency point of view.
The fix could be to first compare the length of plug_mech with 'n'.

This might be also a feature - to allow multiple plugin mechanism using one mech_list string,
but it doesn't feel right for me as I haven't found any documentation about that.
You right, this looks like a bug. I will fix.

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux