nginx: src/mail/ngx_mail_parse.c comparison

comparison src/mail/ngx_mail_parse.c @ 9287:32d4582c484d

Mail: fixed EXTERNAL to be accepted only if enabled. As originally implemented in 6774:bcb107bb89cd, it wasn't possible to disable the EXTERNAL authentication method: it was always accepted (but not advertised unless enabled). It is, however, believed that it is better to reject attempts to use the disabled method, hence in 6869:b2915d99ee8d an attempt was made to address this. This attempt was insufficient though: it was still possible to use the method as long as initial SASL response was used. With this patch both challenge-response and initial response forms are disabled. Additionally, initial response handling for the PLAIN authentication is removed from ngx_mail_auth_parse(), for consistency and to don't provoke such bugs.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 03 Jun 2024 18:03:05 +0300
parents	b38728495e1a
children	20017bff0de8

comparison

equal deleted inserted replaced

-:d9fe808c1841
+:32d4582c484d
 return NGX_MAIL_PARSE_INVALID_COMMAND;
 }
 if (ngx_strncasecmp(arg[0].data, (u_char *) "PLAIN", 5) == 0) {
-if (s->args.nelts == 1) {
+if (s->args.nelts == 1 || s->args.nelts == 2) {
 return NGX_MAIL_AUTH_PLAIN;
 }
-if (s->args.nelts == 2) {
+return NGX_MAIL_PARSE_INVALID_COMMAND;
-return ngx_mail_auth_plain(s, c, 1);
-}
 }
 return NGX_MAIL_PARSE_INVALID_COMMAND;
 }
 return NGX_MAIL_AUTH_CRAM_MD5;
 }
 if (ngx_strncasecmp(arg[0].data, (u_char *) "EXTERNAL", 8) == 0) {
-if (s->args.nelts == 1) {
+if (s->args.nelts == 1 || s->args.nelts == 2) {
 return NGX_MAIL_AUTH_EXTERNAL;
 }
-if (s->args.nelts == 2) {
+return NGX_MAIL_PARSE_INVALID_COMMAND;
-return ngx_mail_auth_external(s, c, 1);
-}
 }
 return NGX_MAIL_PARSE_INVALID_COMMAND;
 }

Mercurial > hg > nginx

comparison src/mail/ngx_mail_parse.c @ 9287:32d4582c484d