From ca22cc0abe93c28f3d296d99c239413bb0d079c4 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 12 Jan 2021 15:36:09 +0000 Subject: [PATCH] Auths: in plaintext authenticator, fix parsing of consecutive circuflex. Bug 2687 --- doc/doc-docbook/spec.xfpt | 9 ++++++++- doc/doc-txt/ChangeLog | 7 +++++++ src/src/auths/get_data.c | 10 ++++++++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4c79e87cf..15b03eabb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27824,7 +27824,14 @@ fixed_plain: client_send = ^username^mysecret .endd The lack of colons means that the entire text is sent with the AUTH -command, with the circumflex characters converted to NULs. A similar example +command, with the circumflex characters converted to NULs. +.new +Note that due to the ambiguity of parsing three consectutive circumflex characters +there is no way to provide a password having a leading circumflex. +.wen + + +A similar example that uses the LOGIN mechanism is: .code fixed_login: diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d9e979c33..87bf0d009 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -170,6 +170,13 @@ JH/34 Fix the placement of a multiple-message delivery marker in the delivery JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files. +JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext + authenticator client_send option. Previously the next char, after a pair + was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became + ^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the + documentation. There is still no way to get a leading ^ immediately + after a NUL (ie. for the password of a PLAIN method authenticator. + Exim version 4.94 ----------------- diff --git a/src/src/auths/get_data.c b/src/src/auths/get_data.c index 602a1181a..88359658a 100644 --- a/src/src/auths/get_data.c +++ b/src/src/auths/get_data.c @@ -168,14 +168,20 @@ if (!ss) len = Ustrlen(ss); /* The character ^ is used as an escape for a binary zero character, which is -needed for the PLAIN mechanism. It must be doubled if really needed. */ +needed for the PLAIN mechanism. It must be doubled if really needed. + +The parsing ambiguity of ^^^ is taken as ^^ -> ^ ; ^ -> NUL - and there is +no way to get a leading ^ after a NUL. We would need to intro new syntax to +support that (probably preferring to take a more-standard exim list as a source +and concat the elements with intervening NULs. Either a magic marker on the +source string for client_send, or a new option). */ for (int i = 0; i < len; i++) if (ss[i] == '^') if (ss[i+1] != '^') ss[i] = 0; else - if (--len > ++i) memmove(ss + i, ss + i + 1, len - i); + if (--len > i+1) memmove(ss + i + 1, ss + i + 2, len - i); /* The first string is attached to the AUTH command; others are sent unembellished. */ -- 2.30.2