Bug#406686: [Pkg-exim4-devel] Re: Bug#406686: exim4: Client Auth Can't Handle Special Characters in Passwords

Wed Jan 17 22:52:37 CET 2007

tags #406686 confirmed pending
thanks

On Sun, Jan 14, 2007 at 02:02:01PM +0100, Marc Haber wrote:
> On Sat, Jan 13, 2007 at 05:42:41PM +0100, Marc Haber wrote:
> > On Sat, Jan 13, 2007 at 11:39:26AM -0500, Steaphan Greene wrote:
> > > On Sat, Jan 13, 2007 at 05:35:14PM +0100, Marc Haber wrote:
> > > > Yes, and for the versions allowing unencrypted authentication as well. 
> > > > I just wanted to know if the change works outside my lab.
> > > 
> > > Yep, it seems to, but I only tried my tests with test-passwords with 
> > > shifted-number-keys (US QWERTY keyboard, so, "!@#$%^&*()").  I did not 
> > > test it with any others, such as ":".
> > 
> > : is not addressed by this change. I need to ponder a little bit more
> > about that to find a solution.
> 
> No go with extract, but using a RE helped. Thanks to exim-users for
> helping here.
> 
> Can you please try this new, simplified authenticator?
> 
> Cc'ing pkg-exim4-devel to solicit comments from the other guys there.

No response to this message was received. I have extended these
changes to the other parts of the LOGIN and PLAIN client
authenticators and introduced a macro which has greatly simplified the
code:

PASSWDLINE=${sg{\
                ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
                }\
                {\\N[\\^]\\N}\
                {^^}\
            }

plain:
  driver = plaintext
  public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  client_send = "<; ${if !eq{$tls_cipher}{}\
                    {^${extract{1}{:}{PASSWDLINE}}\
                     ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
                   }fail}"
.else
  client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
                    ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.endif

login:
  driver = plaintext
  public_name = LOGIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  # Return empty string if not non-TLS AND looking up $host in passwd-file
  # yields a non-empty string; fail otherwise.
  client_send = "<; ${if and{\
                          {!eq{$tls_cipher}{}}\
                          {!eq{PASSWDLINE}{}}\
                         }\
                      {}fail}\
                 ; ${extract{1}{::}{PASSWDLINE}}\
                 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.else
  # Return empty string if looking up $host in passwd-file yields a
  # non-empty string; fail otherwise.
  client_send = "<; ${if !eq{PASSWDLINE}{}
                      {}fail}\
                 ; ${extract{1}{::}{PASSWDLINE}}\
                 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.endif

I am planning to upload early next week. If there are any objections,
please voice them.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835