[
https://issues.apache.org/jira/browse/JAMES-3868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3868.
---------------------------------
Fix Version/s: 3.8.0
Resolution: Fixed
> Cannot handle IMAP PLAIN login with password longer than 255 char
> -----------------------------------------------------------------
>
> Key: JAMES-3868
> URL: https://issues.apache.org/jira/browse/JAMES-3868
> Project: James Server
> Issue Type: Bug
> Affects Versions: 3.6.0
> Reporter: Niko Usai
> Priority: Critical
> Fix For: 3.8.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> There is a bug, in my opinion, in how `AuthenticateProcessor` handles PLAIN
> login omitting authorization identity.
> The fact is when authorization identity is blank the password field is parsed
> with Username.of() that has the 255 char limitation, and it expects to raise
> an exception when looking for the 3rd missing argument, where the password
> should be, which has not this limitation.
> These leads to an "IllegalArgumentException" of the Username class creating
> an invalid AuthenticationAttempt.
> {code:java}
> String userpass = new
> String(Base64.getDecoder().decode(initialClientResponse));
> StringTokenizer authTokenizer = new StringTokenizer(userpass, "\0");
> String token1 = authTokenizer.nextToken(); // Authorization Identity
> token2 = authTokenizer.nextToken(); // Authentication Identity
> try {
> return delegation(Username.of(token1), Username.of(token2),
> authTokenizer.nextToken());
> } catch (java.util.NoSuchElementException ignored) {
> // If we got here, this is what happened. RFC 2595
> // says that "the client may leave the authorization {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
