aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--NEWS1
-rw-r--r--fetchmail.h1
-rw-r--r--imap.c20
3 files changed, 15 insertions, 7 deletions
diff --git a/NEWS b/NEWS
index 97606944..c9e1ebc1 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,7 @@ fetchmail-5.1.1 ():
* Fix lexer to permit `antispam -1'.
* Added workaround, fetchmailconf warning, and FAQ about Novell GroupWise.
* John Cigas's delay patch to avoid a timing problem with plugins.
+* Canonicalize both name and password.
There are 266 people on fetchmail-friends and 444 on fetchmail-announce.
diff --git a/fetchmail.h b/fetchmail.h
index 20387750..31db1b4c 100644
--- a/fetchmail.h
+++ b/fetchmail.h
@@ -53,6 +53,7 @@
*/
#define MSGBUFSIZE 8192
+#define NAMELEN 64 /* max username length */
#define PASSWORDLEN 64 /* max password length */
#define DIGESTLEN 33 /* length of MD5 digest */
diff --git a/imap.c b/imap.c
index 2405bb61..2d3d470c 100644
--- a/imap.c
+++ b/imap.c
@@ -837,17 +837,17 @@ static int do_cram_md5 (int sock, struct query *ctl)
}
}
-int imap_canonicalize(char *result, char *passwd)
+int imap_canonicalize(char *result, char *raw, int maxlen)
/* encode an IMAP password as per RFC1730's quoting conventions */
{
int i, j;
j = 0;
- for (i = 0; i < strlen(passwd); i++)
+ for (i = 0; i < strlen(raw) && i < maxlen; i++)
{
- if ((passwd[i] == '\\') || (passwd[i] == '"'))
+ if ((raw[i] == '\\') || (raw[i] == '"'))
result[j++] = '\\';
- result[j++] = passwd[i];
+ result[j++] = raw[i];
}
result[j] = '\0';
@@ -858,7 +858,6 @@ int imap_getauth(int sock, struct query *ctl, char *greeting)
/* apply for connection authorization */
{
int ok = 0;
- char password[PASSWORDLEN*2];
/* probe to see if we're running IMAP4 and can use RFC822.PEEK */
capabilities[0] = '\0';
@@ -1002,8 +1001,15 @@ int imap_getauth(int sock, struct query *ctl, char *greeting)
};
#endif /* __UNUSED__ */
- imap_canonicalize(password, ctl->password);
- ok = gen_transact(sock, "LOGIN \"%s\" \"%s\"", ctl->remotename, password);
+ {
+ /* these sizes guarantee no buffer overflow */
+ char remotename[NAMELEN*2+1], password[PASSWORDLEN*2+1];
+
+ imap_canonicalize(remotename, ctl->remotename, NAMELEN);
+ imap_canonicalize(password, ctl->password, PASSWORDLEN);
+ ok = gen_transact(sock, "LOGIN \"%s\" \"%s\"", remotename, password);
+ }
+
if (ok)
return(ok);
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-25 23:25:36 +0000