[RFC PATCH] Prevent setacl for empty identifiers
Wesley Craig
wes at umich.edu
Wed Feb 4 17:14:07 EST 2009
On 04 Feb 2009, at 14:33, Thomas Jarosch wrote:
>> auth_unix.c:mycanonifyid() used to but now doesn't. Perhaps the
>> problem is this:
>> https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/cyrus/
>> lib/auth_unix.c.diff?r1=1.37;r2=1.38 Removing those lines allows
>> canonicalization of zero length IDs. Can't be a good thing, even
>> outside of ACLs.
>
> Good catch. I'm wondering why that code in auth_unix.c was changed
> at all?
> There must be a valid use case (?) to it.
Well, I suspect that it was to allow numeric IDs. Perhaps we should
change the code to make sure there's *some* valid characters.
> How do we go from here? Once we agree on a patch(set),
> I could open a bug report, if that helps any.
Yeah, a bug report will be great. Once we agree, mark is as a blocker.
:wes
More information about the Cyrus-devel
mailing list