auth_httpform password encoding bug
Dan White
dwhite at olp.net
Wed Dec 19 23:40:35 EST 2012
On 12/20/12 00:31 +0000, John Newbigin wrote:
>Hi,
>
>This is a patch I have been sitting on for some time.
>
>I have been upgrading from 2.1.19 to 2.1.23 and I have found that some
>of my patches are still required (and even work).
>
>(These are red hat releases but it seems relevant to the vanilla source
>too).
>
>The first issue is that when using saslauthd with auth_httpform, the
>password is not correctly encoded if it contains a & character. I also
>escape the % which I think is required. Spaces and + might also be a
>problem (untested).
>
>For full correctness, all the expanded parameters should probably be
>correctly encoded as x-www-form-urlencoded
>http://www.w3.org/MarkUp/html-spec/html-spec_8.html
>I can implement that if anyone is interested but there might be others
>who know the code better.
John,
There was a bug opened regarding this issue at:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3508
A patch was applied (commit 09348d4e94a49ad4f0891934e353d993226cc9fd) prior
to the 2.1.26 release. Can you verify it addresses your issue?
Thanks,
--
Dan White
More information about the Cyrus-sasl
mailing list