Cyrus case issues

Voutsinas Nikos nvoutsin at noc.uoa.gr
Tue Nov 12 13:28:24 EST 2002 

mmmm .....



/* Map of which characters are allowed by auth_canonifyid.
  * Key: 0 -> not allowed (special, ctrl, or would confuse Unix or imapd)
  *      1 -> allowed, but requires an alpha somewhere else in the string
  *      2 -> allowed, and is an alpha
  *
  * At least one character must be an alpha.
  *
  * This may not be restrictive enough.
  * Here are the reasons for the restrictions:
  *
  * &    forbidden because of MUTF-7.  (This could be fixed.)
  * :    forbidden because it's special in /etc/passwd
  * /    forbidden because it can't be used in a mailbox name
  * * %  forbidden because they're IMAP magic in the LIST/LSUB commands
  * ?    it just scares me
  * ctrl chars, DEL
  *      can't send them as IMAP characters in plain folder names, I think
  * 80-FF forbidden because you can't send them in IMAP anyway
  *       (and they're forbidden as folder names). (This could be fixed.)
  *
  * + and - are *allowed* although '+' is probably used for userid+detail
  * subaddressing and qmail users use '-' for subaddressing.
  *
  * Identifiers don't require a digit, really, so that should probably be
  * relaxed, too.
  */
static char allowedchars[256] = {
  /* 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F */
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 00-0F */
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 10-1F */
#ifdef ENABLE_EDUNET
     0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 20-2F */
     1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 30-3F */

     1, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 40-4F */
     3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 1, 1, 1, 1, /* 50-5F */
#else
     1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 20-2F */
     1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 30-3F */

     1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 40-4F */
     2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, /* 50-5F */
#endif
     1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 60-6F */
     2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 0, /* 70-7F */

     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};

/*
  * Convert 'identifier' into canonical form.
  * Returns a pointer to a static buffer containing the canonical form
  * or NULL if 'identifier' is invalid.
  *
  * XXX If any of the characters marked with 0 are valid and are 
cropping up,
  * the right thing to do is probably to canonicalize the identifier to two
  * representations: one for getpwent calls and one for folder names.  The
  * latter canonicalizes to a MUTF7 representation.
  */
char *auth_canonifyid(identifier, len)
const char *identifier;
size_t len;
{
     static char retbuf[81];
#ifndef ENABLE_EDUNET
     struct group *grp;
#endif
     char sawalpha;
     char *p;

     if(!len) len = strlen(identifier);
     if(len >= sizeof(retbuf)) return NULL;

     if (strcasecmp(identifier, "anonymous") == 0) {
         return "anonymous";
     }
     if (strcasecmp(identifier, "anybody") == 0 ||
         strcasecmp(identifier, "anyone") == 0) {
         return "anyone";
     }

     memcpy(retbuf, identifier, len);
     retbuf[len] = '\0';

     /* This used to be far more restrictive, but many sites seem to 
ignore the
      * ye olde Unix conventions of username.  Specifically, we used to
      * - drop case on the buffer
      * - disallow lots of non-alpha characters ('-', '_', others)
      * Now we do neither of these, but impose a very different policy 
based on
      * the character map above.
      */

     if (!strncmp(retbuf, "group:", 6)) {
#ifndef ENABLE_EDUNET
         grp = getgrnam(retbuf+6);
         if (!grp) return 0;
         strcpy(retbuf+6, grp->gr_name);
#endif
         return retbuf;
     }

     /* Copy the string and look up values in the allowedchars array above.
      * If we see any we don't like, reject the string.
      */
     sawalpha = 0;
     for(p = retbuf; *p; p++) {
         switch (allowedchars[*(unsigned char*) p]) {
         case 0:
             return NULL;

         case 2:
             sawalpha = 1;
             /* FALL THROUGH */
#ifdef ENABLE_EDUNET
         case 3:
             sawalpha = 1;
             *p = tolower((unsigned char) *p);
#endif

         default:
             ;
         }
     }

     if (!sawalpha) return NULL;  /* has to be one alpha char */

     return retbuf;
}

Gardiner Leverett wrote:
> 
> Gardiner Leverett wrote:
> 
> 
>>The problem is this:
>>On the new machine, a user mailbox is "foobar" for example.
>>The user connects (through the client) as "FOOBAR".  SASL
>>authenticates the user fine, but the user can't see the INBOX
>>or any other folders.  If the user connects as "foobar", SASL
>>authenticates correctly, and the user can see their mailbox.
> 
> 
> One other note:  if the user is using Outlook and they connect
> as uppercase, Cyrus will CREATE a new mailbox for the uppercase
> user.  When I tried using Netscape, this did not happen.  I don't
> know if it's a config issue with Outlook, but either way, the mailbox
> is created, and the user FOOBAR has access to the new mailbox
> "FOOBAR" and not "foobar".
>

More information about the Info-cyrus mailing list