Red Hat Bugzilla – Bug 432797
Cyrus-IMAPd forgots to trim spaces for accounts/mailboxes
Last modified: 2010-03-05 10:02:40 EST
Description of problem:
When having the following configuration as mentioned below, it is possible to
use "foo " (without the quotation marks but including the terminating space) as
user name. Authentication works, but a new mailbox is created instead of using
the existing one without the closing space.
So user "foo" (without the quotation marks) can login normally etc. and when
using "foo " it works as well, but a new mailbox is created (the creation itself
is caused by the settings of cyrus-imap). The wrong on this behaviour is: Either
accept the space always and trim it always or accept it never and trim it never,
so that the authentication already fails.
Trimming the spaces for authentication but keeping it for the mailbox name is
just horrible wrong and has to be fixed as soon as possible, as this is likely
a possible security issue as well. Thus I'm going to mark this bug report as a
security one as well.
--- snipp /etc/imapd.conf ---
# Individuelle Einstellungen
--- snapp /etc/imapd.conf ---
Version-Release number of selected component (if applicable):
Everytime, see above.
Cyrus-IMAPd forgots to trim spaces for accounts/mailboxes, but trims it for
the PAM authentication.
Either always trimming the spaces even for accounts/mailboxes itself or never
trim it and refuse the authentication.
This bug report will be referenced with a valid subscription in the future.
Robert: I can't imagine what security consequences could this have. Worst thing
this could cause that empty mailboxes with bogus names will be left behind.
Well...if a space is possible, I don't want to image, what else is maybe
possible to add there instead of the space. I won't try that, because that
RHEL4 system is not mine. Maybe I'm paranoid, but it could be the top of
an iceberg. If you can't agree with me, remove the Security flag and keep
it as regular bug report - thank you.
I'd definitely appreciate the opinion and closer look from the maintainer --
Tomas, any thoughts on this?
This is done in cyrus-sasl by the _sasl_canon_user function. Adding Steve
Conklin (cyrus-sasl maintainer) to Cc.
(yes, I have been able to successfully authenticate with space-padded password
to postfix as well)
Ping - is there any update?
Oh fuck, Steve's not in Cc, sorry.
I'd say that for Rawhide we could drop the trimming code from cyrus-sasl and see
what breaks. But as cyrus-sasl is used in many more applications/services than
cyrus-imap I'd definitely prefer for RHEL-4 to fix this in cyrus-imap.
Btw, the code really trims only isspace() characters from beginning and end of
the user name + and eventually adds realm if it is configured to do so.
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
I'm sorry for not addressing the issue in RHEL-4. As cyrus-imapd
is not scheduled for update in RHEL-4.9, I'm closing that bugzilla WONTFIX. If
you are still experiencing the issue with RHEL-5, feel free to reopen it