# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1717426985 -10800
# Node ID 32d4582c484d2b43e7b2a273daf60d3b0aaa6914
# Parent  d9fe808c1841b4d9b2c5884cb561a14ad2b504ee
Mail: fixed EXTERNAL to be accepted only if enabled.

As originally implemented in 6774:bcb107bb89cd, it wasn't possible to
disable the EXTERNAL authentication method: it was always accepted
(but not advertised unless enabled).  It is, however, believed that
it is better to reject attempts to use the disabled method, hence in
6869:b2915d99ee8d an attempt was made to address this.  This attempt
was insufficient though: it was still possible to use the method as long
as initial SASL response was used.

With this patch both challenge-response and initial response forms are
disabled.  Additionally, initial response handling for the PLAIN
authentication is removed from ngx_mail_auth_parse(), for consistency
and to don't provoke such bugs.

diff -r d9fe808c1841 -r 32d4582c484d src/mail/ngx_mail_imap_handler.c
--- a/src/mail/ngx_mail_imap_handler.c	Sun Jun 02 23:51:55 2024 +0300
+++ b/src/mail/ngx_mail_imap_handler.c	Mon Jun 03 18:03:05 2024 +0300
@@ -388,6 +388,10 @@
 
     case NGX_MAIL_AUTH_PLAIN:
 
+        if (s->args.nelts == 2) {
+            return ngx_mail_auth_plain(s, c, 1);
+        }
+
         ngx_str_set(&s->out, imap_plain_next);
         s->mail_state = ngx_imap_auth_plain;
 
@@ -420,6 +424,10 @@
             return NGX_MAIL_PARSE_INVALID_COMMAND;
         }
 
+        if (s->args.nelts == 2) {
+            return ngx_mail_auth_external(s, c, 1);
+        }
+
         ngx_str_set(&s->out, imap_username);
         s->mail_state = ngx_imap_auth_external;
 
diff -r d9fe808c1841 -r 32d4582c484d src/mail/ngx_mail_parse.c
--- a/src/mail/ngx_mail_parse.c	Sun Jun 02 23:51:55 2024 +0300
+++ b/src/mail/ngx_mail_parse.c	Mon Jun 03 18:03:05 2024 +0300
@@ -934,13 +934,11 @@
 
         if (ngx_strncasecmp(arg[0].data, (u_char *) "PLAIN", 5) == 0) {
 
-            if (s->args.nelts == 1) {
+            if (s->args.nelts == 1 || s->args.nelts == 2) {
                 return NGX_MAIL_AUTH_PLAIN;
             }
 
-            if (s->args.nelts == 2) {
-                return ngx_mail_auth_plain(s, c, 1);
-            }
+            return NGX_MAIL_PARSE_INVALID_COMMAND;
         }
 
         return NGX_MAIL_PARSE_INVALID_COMMAND;
@@ -959,13 +957,11 @@
 
         if (ngx_strncasecmp(arg[0].data, (u_char *) "EXTERNAL", 8) == 0) {
 
-            if (s->args.nelts == 1) {
+            if (s->args.nelts == 1 || s->args.nelts == 2) {
                 return NGX_MAIL_AUTH_EXTERNAL;
             }
 
-            if (s->args.nelts == 2) {
-                return ngx_mail_auth_external(s, c, 1);
-            }
+            return NGX_MAIL_PARSE_INVALID_COMMAND;
         }
 
         return NGX_MAIL_PARSE_INVALID_COMMAND;
diff -r d9fe808c1841 -r 32d4582c484d src/mail/ngx_mail_pop3_handler.c
--- a/src/mail/ngx_mail_pop3_handler.c	Sun Jun 02 23:51:55 2024 +0300
+++ b/src/mail/ngx_mail_pop3_handler.c	Mon Jun 03 18:03:05 2024 +0300
@@ -517,6 +517,10 @@
 
     case NGX_MAIL_AUTH_PLAIN:
 
+        if (s->args.nelts == 2) {
+            return ngx_mail_auth_plain(s, c, 1);
+        }
+
         ngx_str_set(&s->out, pop3_next);
         s->mail_state = ngx_pop3_auth_plain;
 
@@ -541,6 +545,10 @@
             return NGX_MAIL_PARSE_INVALID_COMMAND;
         }
 
+        if (s->args.nelts == 2) {
+            return ngx_mail_auth_external(s, c, 1);
+        }
+
         ngx_str_set(&s->out, pop3_username);
         s->mail_state = ngx_pop3_auth_external;
 
diff -r d9fe808c1841 -r 32d4582c484d src/mail/ngx_mail_smtp_handler.c
--- a/src/mail/ngx_mail_smtp_handler.c	Sun Jun 02 23:51:55 2024 +0300
+++ b/src/mail/ngx_mail_smtp_handler.c	Mon Jun 03 18:03:05 2024 +0300
@@ -701,6 +701,10 @@
 
     case NGX_MAIL_AUTH_PLAIN:
 
+        if (s->args.nelts == 2) {
+            return ngx_mail_auth_plain(s, c, 1);
+        }
+
         ngx_str_set(&s->out, smtp_next);
         s->mail_state = ngx_smtp_auth_plain;
 
@@ -733,6 +737,10 @@
             return NGX_MAIL_PARSE_INVALID_COMMAND;
         }
 
+        if (s->args.nelts == 2) {
+            return ngx_mail_auth_external(s, c, 1);
+        }
+
         ngx_str_set(&s->out, smtp_username);
         s->mail_state = ngx_smtp_auth_external;