auth_httpform password encoding bug

John Newbigin jnewbigin at swin.edu.au
Wed Dec 19 19:31:02 EST 2012


Hi,

This is a patch I have been sitting on for some time.

I have been upgrading from 2.1.19 to 2.1.23 and I have found that some 
of my patches are still required (and even work).

(These are red hat releases but it seems relevant to the vanilla source 
too).

The first issue is that when using saslauthd with auth_httpform, the 
password is not correctly encoded if it contains a & character. I also 
escape the % which I think is required. Spaces and + might also be a 
problem (untested).

For full correctness, all the expanded parameters should probably be 
correctly encoded as x-www-form-urlencoded
http://www.w3.org/MarkUp/html-spec/html-spec_8.html
I can implement that if anyone is interested but there might be others 
who know the code better.

Regards,

John.


-- 
John Newbigin | ITS Senior Analyst / Programmer
Faculty of Information and Communication Technologies
ITS | Swinburne University of Technology | Melbourne, Australia
O: EN306 | T: +61 3 9214 8185 | M: +61 410 569 362
E: jnewbigin at swin.edu.au
W: http://www.ict.swin.edu.au/staff/jnewbigin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-sasl-http4.diff
Type: text/x-patch
Size: 1391 bytes
Desc: cyrus-sasl-http4.diff
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20121220/af8f14ab/attachment.bin 


More information about the Cyrus-sasl mailing list