Mercurial > hg > nginx
diff src/mail/ngx_mail_parse.c @ 9287:32d4582c484d
Mail: fixed EXTERNAL to be accepted only if enabled.
As originally implemented in 6774:bcb107bb89cd, it wasn't possible to
disable the EXTERNAL authentication method: it was always accepted
(but not advertised unless enabled). It is, however, believed that
it is better to reject attempts to use the disabled method, hence in
6869:b2915d99ee8d an attempt was made to address this. This attempt
was insufficient though: it was still possible to use the method as long
as initial SASL response was used.
With this patch both challenge-response and initial response forms are
disabled. Additionally, initial response handling for the PLAIN
authentication is removed from ngx_mail_auth_parse(), for consistency
and to don't provoke such bugs.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 03 Jun 2024 18:03:05 +0300 |
parents | b38728495e1a |
children | 20017bff0de8 |
line wrap: on
line diff
--- a/src/mail/ngx_mail_parse.c Sun Jun 02 23:51:55 2024 +0300 +++ b/src/mail/ngx_mail_parse.c Mon Jun 03 18:03:05 2024 +0300 @@ -934,13 +934,11 @@ if (ngx_strncasecmp(arg[0].data, (u_char *) "PLAIN", 5) == 0) { - if (s->args.nelts == 1) { + if (s->args.nelts == 1 || s->args.nelts == 2) { return NGX_MAIL_AUTH_PLAIN; } - if (s->args.nelts == 2) { - return ngx_mail_auth_plain(s, c, 1); - } + return NGX_MAIL_PARSE_INVALID_COMMAND; } return NGX_MAIL_PARSE_INVALID_COMMAND; @@ -959,13 +957,11 @@ if (ngx_strncasecmp(arg[0].data, (u_char *) "EXTERNAL", 8) == 0) { - if (s->args.nelts == 1) { + if (s->args.nelts == 1 || s->args.nelts == 2) { return NGX_MAIL_AUTH_EXTERNAL; } - if (s->args.nelts == 2) { - return ngx_mail_auth_external(s, c, 1); - } + return NGX_MAIL_PARSE_INVALID_COMMAND; } return NGX_MAIL_PARSE_INVALID_COMMAND;