auth_httpform password encoding bug
John Newbigin
jnewbigin at swin.edu.au
Wed Dec 19 19:31:02 EST 2012
Hi,
This is a patch I have been sitting on for some time.
I have been upgrading from 2.1.19 to 2.1.23 and I have found that some
of my patches are still required (and even work).
(These are red hat releases but it seems relevant to the vanilla source
too).
The first issue is that when using saslauthd with auth_httpform, the
password is not correctly encoded if it contains a & character. I also
escape the % which I think is required. Spaces and + might also be a
problem (untested).
For full correctness, all the expanded parameters should probably be
correctly encoded as x-www-form-urlencoded
http://www.w3.org/MarkUp/html-spec/html-spec_8.html
I can implement that if anyone is interested but there might be others
who know the code better.
Regards,
John.
--
John Newbigin | ITS Senior Analyst / Programmer
Faculty of Information and Communication Technologies
ITS | Swinburne University of Technology | Melbourne, Australia
O: EN306 | T: +61 3 9214 8185 | M: +61 410 569 362
E: jnewbigin at swin.edu.au
W: http://www.ict.swin.edu.au/staff/jnewbigin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-sasl-http4.diff
Type: text/x-patch
Size: 1391 bytes
Desc: cyrus-sasl-http4.diff
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20121220/af8f14ab/attachment.bin
More information about the Cyrus-sasl
mailing list