[nginx] Mail: fixed EXTERNAL to be accepted only if enabled.
Maxim Dounin
mdounin at mdounin.ru
Mon Jun 3 15:16:21 UTC 2024
details: http://freenginx.org/hg/nginx/rev/32d4582c484d
branches:
changeset: 9287:32d4582c484d
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Jun 03 18:03:05 2024 +0300
description:
Mail: fixed EXTERNAL to be accepted only if enabled.
As originally implemented in 6774:bcb107bb89cd, it wasn't possible to
disable the EXTERNAL authentication method: it was always accepted
(but not advertised unless enabled). It is, however, believed that
it is better to reject attempts to use the disabled method, hence in
6869:b2915d99ee8d an attempt was made to address this. This attempt
was insufficient though: it was still possible to use the method as long
as initial SASL response was used.
With this patch both challenge-response and initial response forms are
disabled. Additionally, initial response handling for the PLAIN
authentication is removed from ngx_mail_auth_parse(), for consistency
and to don't provoke such bugs.
diffstat:
src/mail/ngx_mail_imap_handler.c | 8 ++++++++
src/mail/ngx_mail_parse.c | 12 ++++--------
src/mail/ngx_mail_pop3_handler.c | 8 ++++++++
src/mail/ngx_mail_smtp_handler.c | 8 ++++++++
4 files changed, 28 insertions(+), 8 deletions(-)
diffs (110 lines):
diff --git a/src/mail/ngx_mail_imap_handler.c b/src/mail/ngx_mail_imap_handler.c
--- a/src/mail/ngx_mail_imap_handler.c
+++ b/src/mail/ngx_mail_imap_handler.c
@@ -388,6 +388,10 @@ ngx_mail_imap_authenticate(ngx_mail_sess
case NGX_MAIL_AUTH_PLAIN:
+ if (s->args.nelts == 2) {
+ return ngx_mail_auth_plain(s, c, 1);
+ }
+
ngx_str_set(&s->out, imap_plain_next);
s->mail_state = ngx_imap_auth_plain;
@@ -420,6 +424,10 @@ ngx_mail_imap_authenticate(ngx_mail_sess
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
+ if (s->args.nelts == 2) {
+ return ngx_mail_auth_external(s, c, 1);
+ }
+
ngx_str_set(&s->out, imap_username);
s->mail_state = ngx_imap_auth_external;
diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -934,13 +934,11 @@ ngx_mail_auth_parse(ngx_mail_session_t *
if (ngx_strncasecmp(arg[0].data, (u_char *) "PLAIN", 5) == 0) {
- if (s->args.nelts == 1) {
+ if (s->args.nelts == 1 || s->args.nelts == 2) {
return NGX_MAIL_AUTH_PLAIN;
}
- if (s->args.nelts == 2) {
- return ngx_mail_auth_plain(s, c, 1);
- }
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
}
return NGX_MAIL_PARSE_INVALID_COMMAND;
@@ -959,13 +957,11 @@ ngx_mail_auth_parse(ngx_mail_session_t *
if (ngx_strncasecmp(arg[0].data, (u_char *) "EXTERNAL", 8) == 0) {
- if (s->args.nelts == 1) {
+ if (s->args.nelts == 1 || s->args.nelts == 2) {
return NGX_MAIL_AUTH_EXTERNAL;
}
- if (s->args.nelts == 2) {
- return ngx_mail_auth_external(s, c, 1);
- }
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
}
return NGX_MAIL_PARSE_INVALID_COMMAND;
diff --git a/src/mail/ngx_mail_pop3_handler.c b/src/mail/ngx_mail_pop3_handler.c
--- a/src/mail/ngx_mail_pop3_handler.c
+++ b/src/mail/ngx_mail_pop3_handler.c
@@ -517,6 +517,10 @@ ngx_mail_pop3_auth(ngx_mail_session_t *s
case NGX_MAIL_AUTH_PLAIN:
+ if (s->args.nelts == 2) {
+ return ngx_mail_auth_plain(s, c, 1);
+ }
+
ngx_str_set(&s->out, pop3_next);
s->mail_state = ngx_pop3_auth_plain;
@@ -541,6 +545,10 @@ ngx_mail_pop3_auth(ngx_mail_session_t *s
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
+ if (s->args.nelts == 2) {
+ return ngx_mail_auth_external(s, c, 1);
+ }
+
ngx_str_set(&s->out, pop3_username);
s->mail_state = ngx_pop3_auth_external;
diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
@@ -701,6 +701,10 @@ ngx_mail_smtp_auth(ngx_mail_session_t *s
case NGX_MAIL_AUTH_PLAIN:
+ if (s->args.nelts == 2) {
+ return ngx_mail_auth_plain(s, c, 1);
+ }
+
ngx_str_set(&s->out, smtp_next);
s->mail_state = ngx_smtp_auth_plain;
@@ -733,6 +737,10 @@ ngx_mail_smtp_auth(ngx_mail_session_t *s
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
+ if (s->args.nelts == 2) {
+ return ngx_mail_auth_external(s, c, 1);
+ }
+
ngx_str_set(&s->out, smtp_username);
s->mail_state = ngx_smtp_auth_external;
More information about the nginx-devel
mailing list