On Mon, 2006-02-20 at 17:14 +0100, Johannes Berg wrote:
> I'll take a look and update the patch if I can.
Below. Note that for longer SASL methods, it might make sense to
increase AUTH_MAX. This patch, however, does not do that.
I also dropped the patch to the spec since that doesn't seem to exist in
the CVS snapshot. It would only need to be changed from the $n to
$auth_<n> and include the AUTH_MAX limitation (I had not bothered to
include the limitation for $n since 20 seemed high enough, 3 looks like
it might be encountered in practice, hence I also suggest increasing it)
This patch also fixes a compile warning over the old one.
johannes
--- exim-snapshot/doc/OptionLists.txt 2006-02-20 04:15:57.000000000 +0100
+++ exim-snapshot.mod/doc/OptionLists.txt 2006-02-20 17:39:15.610369000
+0100
@@ -124,6 +124,7 @@
check_string string "From " appendfile
3.03
unset pipe
3.03
check_srv string* unset dnslookup
4.31
+client_ignore_invalid_base64 boolean true plaintext
XXXX
client_name string* + cram_md5
3.10
client_secret string* unset cram_md5
3.10
client_send string* unset plaintext
3.10
--- exim-snapshot/src/auths/plaintext.c 2006-02-20 04:15:50.000000000 +0100
+++ exim-snapshot.mod/src/auths/plaintext.c 2006-02-20 17:53:33.096364000
+0100
@@ -14,6 +14,8 @@
/* Options specific to the plaintext authentication mechanism. */
optionlist auth_plaintext_options[] = {
+ { "client_ignore_invalid_base64", opt_bool,
+ (void *)(offsetof(auth_plaintext_options_block,
client_ignore_invalid_base64)) },
{ "client_send", opt_stringptr,
(void *)(offsetof(auth_plaintext_options_block, client_send)) },
{ "server_condition", opt_stringptr,
@@ -33,7 +35,8 @@
auth_plaintext_options_block auth_plaintext_option_defaults = {
NULL, /* server_condition */
NULL, /* server_prompts */
- NULL /* client_send */
+ NULL, /* client_send */
+ FALSE /* client_ignore_invalid_base64 */
};
@@ -223,8 +226,9 @@
while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)) !=
NULL)
{
- int i, len;
+ int i, len, clear_len, auth_var_idx = -1;
uschar *ss = expand_string(s);
+ uschar *clear, *errorclear = US"";
/* Forced expansion failure is not an error; authentication is abandoned. On
all but the first string, we have to abandon the authentication attempt by
@@ -304,6 +308,27 @@
"authenticator", ablock->name);
return ERROR;
}
+
+ /* now that we know we'll continue, we put the received data into $auth_<n>,
+ * if possible. buffer+4 skips over the SMTP status code. */
+ clear_len = auth_b64decode(buffer+4, &clear);
+ if (clear_len < 0) {
+ if (!ob->client_ignore_invalid_base64) {
+ /* the server sent an invalid base64 string...
+ * we should explicitly terminate this AUTH anyway */
+ if (smtp_write_command(outblock, FALSE, "*\r\n") >= 0)
+ (void) smtp_read_response(inblock, US buffer, buffsize, '2', timeout);
+ return FAIL;
+ }
+ /* ignore error and put an empty string into the $auth_<n> var */
+ clear_len = 0;
+ clear = errorclear;
+ }
+ if ((clear_len >= 0) && (auth_var_idx+1 < AUTH_VARS)) {
+ auth_var_idx++;
+ auth_vars[auth_var_idx] = string_copy(clear);
+ }
+
}
/* Control should never actually get here. */
--- exim-snapshot/src/auths/plaintext.h 2006-02-20 04:15:50.000000000 +0100
+++ exim-snapshot.mod/src/auths/plaintext.h 2006-02-20 17:39:17.247369000
+0100
@@ -13,6 +13,7 @@
uschar *server_condition;
uschar *server_prompts;
uschar *client_send;
+ BOOL client_ignore_invalid_base64;
} auth_plaintext_options_block;
/* Data for reading the private options. */
--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details
at http://www.exim.org/ ##
