[RFC PATCH] Prevent setacl for empty identifiers
Wesley Craig
wes at umich.edu
Tue Feb 3 14:39:05 EST 2009
rfc4314 seems to specifically disallow empty identifiers. Also, I
think you patch would probably permit an identifier of "-". BTW, I
have a patch to this code that I'm currently holding, which
introduces a leading "+" to identifiers. It's for the case of
XFERing mailboxes with invalid ACLs, i.e., a leading "+" means permit
canonicalization to fail. Speaking of canonicalization, I wonder
that the canonicalization routines would allow empty IDs... looks
like auth_krb5.c:mycanonifyid() probably wouldn't, and
auth_unix.c:mycanonifyid() used to but now doesn't. Perhaps the
problem is this:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/cyrus/lib/
auth_unix.c.diff?r1=1.37;r2=1.38
Removing those lines allows canonicalization of zero length IDs.
Can't be a good thing, even outside of ACLs.
:wes
On 03 Feb 2009, at 09:27, Thomas Jarosch wrote:
> attached is a small patch for discussion. It prevents "setacl"
> for empty indentifiers.
>
> If I read RFC 2086 correctly, empty identifiers seem to be allowed
> (an oversight?), but most clients won't be able to handle this ACL
> and there is also the question if there is a valid use case for this?
> We just had two cases of users shooting themselves in the foot...
More information about the Cyrus-devel
mailing list