Red Hat Bugzilla – Bug 432797
Cyrus-IMAPd forgots to trim spaces for accounts/mailboxes
Last modified: 2010-03-05 10:02:40 EST
Description of problem: When having the following configuration as mentioned below, it is possible to use "foo " (without the quotation marks but including the terminating space) as user name. Authentication works, but a new mailbox is created instead of using the existing one without the closing space. So user "foo" (without the quotation marks) can login normally etc. and when using "foo " it works as well, but a new mailbox is created (the creation itself is caused by the settings of cyrus-imap). The wrong on this behaviour is: Either accept the space always and trim it always or accept it never and trim it never, so that the authentication already fails. Trimming the spaces for authentication but keeping it for the mailbox name is just horrible wrong and has to be fixed as soon as possible, as this is likely a possible security issue as well. Thus I'm going to mark this bug report as a security one as well. --- snipp /etc/imapd.conf --- configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt # Individuelle Einstellungen autocreateinboxfolders: Entwurf|Gesendet|Papierkorb|Spam autosubscribeinboxfolders: Entwurf|Gesendet|Papierkorb|Spam autosievefolders: Spam autocreatequota: 102400 unixhierarchysep: 1 createonpost: 1 --- snapp /etc/imapd.conf --- Version-Release number of selected component (if applicable): cyrus-imapd-2.2.12-8.1.RHEL4 How reproducible: Everytime, see above. Actual results: Cyrus-IMAPd forgots to trim spaces for accounts/mailboxes, but trims it for the PAM authentication. Expected results: Either always trimming the spaces even for accounts/mailboxes itself or never trim it and refuse the authentication. Additional info: This bug report will be referenced with a valid subscription in the future.
Robert: I can't imagine what security consequences could this have. Worst thing this could cause that empty mailboxes with bogus names will be left behind.
Well...if a space is possible, I don't want to image, what else is maybe possible to add there instead of the space. I won't try that, because that RHEL4 system is not mine. Maybe I'm paranoid, but it could be the top of an iceberg. If you can't agree with me, remove the Security flag and keep it as regular bug report - thank you.
I'd definitely appreciate the opinion and closer look from the maintainer -- Tomas, any thoughts on this?
This is done in cyrus-sasl by the _sasl_canon_user function. Adding Steve Conklin (cyrus-sasl maintainer) to Cc. (yes, I have been able to successfully authenticate with space-padded password to postfix as well)
Ping - is there any update?
Oh fuck, Steve's not in Cc, sorry.
Ping?
I'd say that for Rawhide we could drop the trimming code from cyrus-sasl and see what breaks. But as cyrus-sasl is used in many more applications/services than cyrus-imap I'd definitely prefer for RHEL-4 to fix this in cyrus-imap. Btw, the code really trims only isspace() characters from beginning and end of the user name + and eventually adds realm if it is configured to do so.
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
I'm sorry for not addressing the issue in RHEL-4. As cyrus-imapd is not scheduled for update in RHEL-4.9, I'm closing that bugzilla WONTFIX. If you are still experiencing the issue with RHEL-5, feel free to reopen it against RHEL-5.