Re: [Dovecot] Passing data safely in password_key?
On 2.8.2013, at 23.32, Attila Nagy b...@fsn.hu wrote: On 08/02/2013 02:32 PM, Timo Sirainen wrote: On Mon, 2013-07-29 at 09:22 +0200, Attila Nagy wrote: On 07/28/13 13:49, Attila Nagy wrote: Hi, I would like to convert my custom POP/IMAP proxy to Dovecot's. In this proxy I do more than giving back user name, password and the host and I need extra information. Luckily all of them are available as variables, but more than one comes as user input (like user name and cleartext password) and I'm not sure how to pass them safely. Obviously I would need a separator, which is guaranteed not to show up either in user name and the cleartext password. Should I use escape (%E) here, or is there a better way? Just for the record, this is what I use currently: password_key = dovecot/passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: %s^M Client-IP: %r^M I have no idea what you're talking about. What is password_key? The password that is being sent to the backend IMAP/POP3 server? RTFM? ;) http://wiki2.dovecot.org/AuthDatabase/Dict?highlight=%28password_key%29 Ah, dict auth. Yeah, you need to escape the user-given username and password. They can both contain all characters, including CR and LF. (Although auth_username_chars by default disables all the bad chars.) Looks like %E is the only possibility currently. The %E escapes \ and ' characters only. So you could for example use Auth-User: %Eu with quotes and make sure you handle the unescaping correctly. Or maybe you could just use \; or something as the separator since %E only gives you \ \\ and \'.
Re: [Dovecot] Passing data safely in password_key?
On Mon, 2013-07-29 at 09:22 +0200, Attila Nagy wrote: On 07/28/13 13:49, Attila Nagy wrote: Hi, I would like to convert my custom POP/IMAP proxy to Dovecot's. In this proxy I do more than giving back user name, password and the host and I need extra information. Luckily all of them are available as variables, but more than one comes as user input (like user name and cleartext password) and I'm not sure how to pass them safely. Obviously I would need a separator, which is guaranteed not to show up either in user name and the cleartext password. Should I use escape (%E) here, or is there a better way? Just for the record, this is what I use currently: password_key = dovecot/passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: %s^M Client-IP: %r^M I have no idea what you're talking about. What is password_key? The password that is being sent to the backend IMAP/POP3 server?
Re: [Dovecot] Passing data safely in password_key?
On 08/02/2013 02:32 PM, Timo Sirainen wrote: On Mon, 2013-07-29 at 09:22 +0200, Attila Nagy wrote: On 07/28/13 13:49, Attila Nagy wrote: Hi, I would like to convert my custom POP/IMAP proxy to Dovecot's. In this proxy I do more than giving back user name, password and the host and I need extra information. Luckily all of them are available as variables, but more than one comes as user input (like user name and cleartext password) and I'm not sure how to pass them safely. Obviously I would need a separator, which is guaranteed not to show up either in user name and the cleartext password. Should I use escape (%E) here, or is there a better way? Just for the record, this is what I use currently: password_key = dovecot/passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: %s^M Client-IP: %r^M I have no idea what you're talking about. What is password_key? The password that is being sent to the backend IMAP/POP3 server? RTFM? ;) http://wiki2.dovecot.org/AuthDatabase/Dict?highlight=%28password_key%29
Re: [Dovecot] Passing data safely in password_key?
On 07/28/13 13:49, Attila Nagy wrote: Hi, I would like to convert my custom POP/IMAP proxy to Dovecot's. In this proxy I do more than giving back user name, password and the host and I need extra information. Luckily all of them are available as variables, but more than one comes as user input (like user name and cleartext password) and I'm not sure how to pass them safely. Obviously I would need a separator, which is guaranteed not to show up either in user name and the cleartext password. Should I use escape (%E) here, or is there a better way? Just for the record, this is what I use currently: password_key = dovecot/passdb^MAuth-User: %u^MAuth-Pass: %w^MAuth-Protocol: %s^M Client-IP: %r^M
[Dovecot] Passing data safely in password_key?
Hi, I would like to convert my custom POP/IMAP proxy to Dovecot's. In this proxy I do more than giving back user name, password and the host and I need extra information. Luckily all of them are available as variables, but more than one comes as user input (like user name and cleartext password) and I'm not sure how to pass them safely. Obviously I would need a separator, which is guaranteed not to show up either in user name and the cleartext password. Should I use escape (%E) here, or is there a better way?
