Package: mutt
Severity: minor
Tags: upstream
Mutt uses a fixed-length buffer for passwords, 64-bytes wide. The
last byte is for NULL termination, meaning that mutt will silently
truncate IMAP passwords longer than 63 bytes.
Upstream has doubled the buffer length in HEAD (6204:0fb6d7579fd1),
but obviously the Right Thing would be to either grow the buffer as
needed, or to complain to the user if the buffer is too long.
[...]
<twb> If I use '' quoting, they are the same except the very last character
is truncated
<brendan> wonder if we're using a 64-byte buffer or something
<brendan> indeed we are
<twb> Is this something you can just fix while we're talking, or do you
want a proper bug report?
<brendan> http://dev.mutt.org/hg/mutt/file/41a8d7dceb6c/account.h#l46
<brendan> I could up the static number now, but a bug report would help
track a better fix
<brendan> 64-byte buffer means 63-byte passwords max
<twb> Right, because of null termination
<brendan> well, I'll double the length now.
<twb> Ideally you want to either complain to the user if the password is
too long to fit, or piss-fart around with arbitrary-length buffers
<twb> As the "right" solution, I mean :-)
<brendan> yes :)
<brendan> mutt silently truncates strings all over the place when they get
unusually long, so the proper fix could end up requiring some yak shaving.
<CIA-144> ^C03Brendan Cully <bren...@kublai.com>^O ^C07HEAD^O *
6204:0fb6d7579fd1^O ^C10^O/account.h:
<CIA-144> http://dev.mutt.org/hg/mutt/rev/0fb6d7579fd1
<CIA-144> Support passwords of up to 127 characters.
<CIA-144> I received a report on IRC of a failure due to a 64-byte password.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
