From 071e48042c68f2dd41ff7332fee1d9307bb9a0a6 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Fri, 2 Feb 2007 23:47:15 +0000
Subject: Do not send the real password with KPOP.

svn path=/branches/BRANCH_6-3/; revision=5021
---
 pop3.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/pop3.c b/pop3.c
index f979e838..92fe06d1 100644
--- a/pop3.c
+++ b/pop3.c
@@ -610,13 +610,23 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 	}
 #endif /* OPIE_ENABLE */
 
+	/* KPOP uses out-of-band authentication and does not check what
+	 * we send here, so send some random fixed string, to avoid
+	 * users switching *to* KPOP accidentally revealing their
+	 * password */
+	if ((ctl->server.authenticate == A_ANY
+		    || ctl->server.authenticate == A_KERBEROS_V4
+		    || ctl->server.authenticate == A_KERBEROS_V5)
+		&& (ctl->server.service != NULL
+		    && strcmp(ctl->server.service, KPOP_PORT) == 0))
+	{
+	    ok = gen_transact(sock, "PASS krb_ticket");
+	    break;
+	}
+
 	/* check if we are actually allowed to send the password */
 	if (ctl->server.authenticate == A_ANY
-	    || ctl->server.authenticate == A_PASSWORD
-	    || ((ctl->server.authenticate == A_KERBEROS_V4
-		 || ctl->server.authenticate == A_KERBEROS_V5)
-		&& ctl->server.service
-		&& strcmp(ctl->server.service, KPOP_PORT) == 0)) {
+		|| ctl->server.authenticate == A_PASSWORD) {
 	    strlcpy(shroud, ctl->password, sizeof(shroud));
 	    ok = gen_transact(sock, "PASS %s", ctl->password);
 	} else {
-- 
cgit v1.2.3