From: Timo Sirainen <tss@iki.fi>
Date: Fri, 16 May 2003 17:05:42 +0000 (+0300)
Subject: Don't advertise AUTH=PLAIN in capability if disable_plaintext_auth = yes and
X-Git-Tag: 1.1.alpha1~4633
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bc0ddc263fc56dcbc5ccf53a7368da7611cf8de;p=thirdparty%2Fdovecot%2Fcore.git

Don't advertise AUTH=PLAIN in capability if disable_plaintext_auth = yes and
SSL/TLS is not yet negotiated.

--HG--
branch : HEAD
---

diff --git a/src/imap-login/client-authenticate.c b/src/imap-login/client-authenticate.c
index 405b505040..3f1035ba9b 100644
--- a/src/imap-login/client-authenticate.c
+++ b/src/imap-login/client-authenticate.c
@@ -19,7 +19,7 @@
 static enum auth_mech auth_mechs = 0;
 static char *auth_mechs_capability = NULL;
 
-const char *client_authenticate_get_capabilities(void)
+const char *client_authenticate_get_capabilities(int tls)
 {
 	string_t *str;
 	int i;
@@ -34,7 +34,9 @@ const char *client_authenticate_get_capabilities(void)
 
 	for (i = 0; i < AUTH_MECH_COUNT; i++) {
 		if ((auth_mechs & auth_mech_desc[i].mech) &&
-		    auth_mech_desc[i].name != NULL) {
+		    auth_mech_desc[i].name != NULL &&
+		    (tls || !auth_mech_desc[i].plaintext ||
+		     !disable_plaintext_auth)) {
 			str_append_c(str, ' ');
 			str_append(str, "AUTH=");
 			str_append(str, auth_mech_desc[i].name);
diff --git a/src/imap-login/client-authenticate.h b/src/imap-login/client-authenticate.h
index f9480f55bc..9883c60c43 100644
--- a/src/imap-login/client-authenticate.h
+++ b/src/imap-login/client-authenticate.h
@@ -1,7 +1,7 @@
 #ifndef __CLIENT_AUTHENTICATE_H
 #define __CLIENT_AUTHENTICATE_H
 
-const char *client_authenticate_get_capabilities(void);
+const char *client_authenticate_get_capabilities(int tls);
 
 int cmd_login(struct imap_client *client, struct imap_arg *args);
 int cmd_authenticate(struct imap_client *client, struct imap_arg *args);
diff --git a/src/imap-login/client.c b/src/imap-login/client.c
index 02fa27c038..889b35a95f 100644
--- a/src/imap-login/client.c
+++ b/src/imap-login/client.c
@@ -89,14 +89,13 @@ static int client_skip_line(struct imap_client *client)
 
 static int cmd_capability(struct imap_client *client)
 {
-	const char *capability;
+	const char *capability, *auths;
 
+	auths = client_authenticate_get_capabilities(client->tls);
 	capability = t_strconcat("* CAPABILITY " CAPABILITY_STRING,
 				 ssl_initialized ? " STARTTLS" : "",
 				 disable_plaintext_auth && !client->tls ?
-				 " LOGINDISABLED" : "",
-				 client_authenticate_get_capabilities(),
-				 NULL);
+				 " LOGINDISABLED" : "", auths, NULL);
 	client_send_line(client, capability);
 	client_send_tagline(client, "OK Capability completed.");
 	return TRUE;
diff --git a/src/pop3-login/client-authenticate.c b/src/pop3-login/client-authenticate.c
index 1220f9245f..ba935c0641 100644
--- a/src/pop3-login/client-authenticate.c
+++ b/src/pop3-login/client-authenticate.c
@@ -33,7 +33,9 @@ int cmd_capa(struct pop3_client *client, const char *args __attr_unused__)
 		str_append(str, "SASL");
 		for (i = 0; i < AUTH_MECH_COUNT; i++) {
 			if ((auth_mechs & auth_mech_desc[i].mech) &&
-			    auth_mech_desc[i].name != NULL) {
+			    auth_mech_desc[i].name != NULL &&
+			    (client->tls || !auth_mech_desc[i].plaintext ||
+			     !disable_plaintext_auth)) {
 				str_append_c(str, ' ');
 				str_append(str, auth_mech_desc[i].name);
 			}