]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
auth: Properly recognize an empty initial SASL response.
authorStephan Bosch <stephan.bosch@dovecot.fi>
Sat, 25 Nov 2017 14:28:32 +0000 (15:28 +0100)
committerTimo Sirainen <timo.sirainen@dovecot.fi>
Tue, 28 Nov 2017 00:36:19 +0000 (02:36 +0200)
It was erroneously handled as an absent initial response.
Restructured the code for clarity and changed the comments: '=' should not be passed to SASL layer at all.

src/auth/auth-request-handler.c

index eeac3fb716eb0fb45a037746ab44157285667b48..54db17d8691ab45962731b00788881b05a81ffae 100644 (file)
@@ -578,12 +578,25 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler,
                return TRUE;
        }
 
-       /* Empty initial response is a "=" base64 string. Completely empty
-          string shouldn't really be sent, but at least Exim does it,
-          so just allow it for backwards compatibility.. */
-       if (initial_resp != NULL && *initial_resp != '\0') {
+       /* Handle initial respose */
+       if (initial_resp == NULL) {
+               /* No initial response */
+               request->initial_response = NULL;
+               request->initial_response_len = 0;
+       } else if (*initial_resp == '\0' || strcmp(initial_resp, "=") == 0 ) {
+               /* Empty initial response - Protocols that use SASL often
+                  use '=' to indicate an empty initial response; i.e., to
+                  distinguish it from an absent initial response. However, that
+                  should not be conveyed to the SASL layer (it is not even
+                  valid Base64); only the empty string should be passed on.
+                  Still, we recognize it here anyway, because we used to make
+                  the same mistake. */
+               request->initial_response = uchar_empty_ptr;
+               request->initial_response_len = 0;
+       } else {
                size_t len = strlen(initial_resp);
 
+               /* Initial response encoded in Bas64 */
                buf = t_buffer_create(MAX_BASE64_DECODED_SIZE(len));
                if (base64_decode(initial_resp, len, NULL, buf) < 0) {
                        auth_request_handler_auth_fail_code(handler, request,