[RFC PATCH] Prevent setacl for empty identifiers

Wesley Craig wes at umich.edu
Wed Feb 4 17:14:07 EST 2009

On 04 Feb 2009, at 14:33, Thomas Jarosch wrote:
>> auth_unix.c:mycanonifyid() used to but now doesn't.  Perhaps the  
>> problem is this:
>>     https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/cyrus/ 
>> lib/auth_unix.c.diff?r1=1.37;r2=1.38 Removing those lines allows  
>> canonicalization of zero length IDs.  Can't be a good thing, even  
>> outside of ACLs.
> Good catch. I'm wondering why that code in auth_unix.c was changed  
> at all?
> There must be a valid use case (?) to it.

Well, I suspect that it was to allow numeric IDs.  Perhaps we should  
change the code to make sure there's *some* valid characters.

> How do we go from here? Once we agree on a patch(set),
> I could open a bug report, if that helps any.

Yeah, a bug report will be great.  Once we agree, mark is as a blocker.


More information about the Cyrus-devel mailing list