Hello together,
attached is a small patch for discussion. It prevents "setacl"
for empty indentifiers.
If I read RFC 2086 correctly, empty identifiers seem to be allowed
(an oversight?), but most clients won't be able to handle this ACL
and there is also the question if there is a valid use case for this?
We just had two cases of users shooting themselves in the foot...
btw: Concerning the VCS discussion, we use git internally
and I can say the branch handling (esp. merging)
really boosted our productivity.
Enjoy,
Thomas
diff -u -r -p cyrus-imapd-2.3.13/lib/acl_afs.c cyrus-imapd.patched/lib/acl_afs.c
--- cyrus-imapd-2.3.13/lib/acl_afs.c Mon Mar 24 18:43:08 2008
+++ cyrus-imapd.patched/lib/acl_afs.c Tue Feb 3 15:12:16 2009
@@ -137,6 +137,12 @@ void *canonrock;
/* trying to delete invalid/non-existent identifier */
}
+ /* Prevent ACLs for empty identifiers - most clients can't handle them */
+ if (strlen(identifier) == 0) {
+ if (newidentifier) free(newidentifier);
+ return -1;
+ }
+
/* Find any existing entry for 'identifier' in 'acl' */
for (thisid = nextid = *acl; *thisid; thisid = nextid) {
rights = strchr(thisid, '\t');
