Bug 432797 - Cyrus-IMAPd forgots to trim spaces for accounts/mailboxes
Cyrus-IMAPd forgots to trim spaces for accounts/mailboxes
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cyrus-imapd (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Michal Hlavinka
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2008-02-14 08:19 EST by Robert Scheck
Modified: 2010-03-05 10:02 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-05 10:02:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-02-14 08:19:49 EST
Description of problem:
When having the following configuration as mentioned below, it is possible to 
use "foo " (without the quotation marks but including the terminating space) as
user name. Authentication works, but a new mailbox is created instead of using 
the existing one without the closing space.

So user "foo" (without the quotation marks) can login normally etc. and when 
using "foo " it works as well, but a new mailbox is created (the creation itself
is caused by the settings of cyrus-imap). The wrong on this behaviour is: Either
accept the space always and trim it always or accept it never and trim it never,
so that the authentication already fails. 

Trimming the spaces for authentication but keeping it for the mailbox name is 
just horrible wrong and has to be fixed as soon as possible, as this is likely
a possible security issue as well. Thus I'm going to mark this bug report as a 
security one as well.

--- snipp /etc/imapd.conf ---
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt

# Individuelle Einstellungen
autocreateinboxfolders: Entwurf|Gesendet|Papierkorb|Spam
autosubscribeinboxfolders: Entwurf|Gesendet|Papierkorb|Spam
autosievefolders: Spam
autocreatequota: 102400
unixhierarchysep: 1
createonpost: 1
--- snapp /etc/imapd.conf ---

Version-Release number of selected component (if applicable):

How reproducible:
Everytime, see above.

Actual results:
Cyrus-IMAPd forgots to trim spaces for accounts/mailboxes, but trims it for
the PAM authentication.

Expected results:
Either always trimming the spaces even for accounts/mailboxes itself or never 
trim it and refuse the authentication.

Additional info:
This bug report will be referenced with a valid subscription in the future.
Comment 1 Lubomir Kundrak 2008-02-15 12:58:15 EST
Robert: I can't imagine what security consequences could this have. Worst thing
this could cause that empty mailboxes with bogus names will be left behind.
Comment 2 Robert Scheck 2008-02-15 14:07:44 EST
Well...if a space is possible, I don't want to image, what else is maybe 
possible to add there instead of the space. I won't try that, because that
RHEL4 system is not mine. Maybe I'm paranoid, but it could be the top of
an iceberg. If you can't agree with me, remove the Security flag and keep
it as regular bug report - thank you.
Comment 3 Lubomir Kundrak 2008-02-16 06:37:04 EST
I'd definitely appreciate the opinion and closer look from the maintainer --
Tomas, any thoughts on this?
Comment 5 Tomas Janousek 2008-02-29 08:09:57 EST
This is done in cyrus-sasl by the _sasl_canon_user function. Adding Steve
Conklin (cyrus-sasl maintainer) to Cc.

(yes, I have been able to successfully authenticate with space-padded password
to postfix as well)
Comment 6 Robert Scheck 2008-04-05 17:55:38 EDT
Ping - is there any update?
Comment 7 Tomas Janousek 2008-04-06 04:03:13 EDT
Oh fuck, Steve's not in Cc, sorry.
Comment 8 Robert Scheck 2008-05-17 15:03:49 EDT
Comment 9 Tomas Mraz 2008-05-22 09:54:03 EDT
I'd say that for Rawhide we could drop the trimming code from cyrus-sasl and see
what breaks. But as cyrus-sasl is used in many more applications/services than
cyrus-imap I'd definitely prefer for RHEL-4 to fix this in cyrus-imap.

Btw, the code really trims only isspace() characters from beginning and end of
the user name + and eventually adds realm if it is configured to do so.
Comment 10 RHEL Product and Program Management 2008-10-31 12:37:25 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 11 Michal Hlavinka 2010-03-05 10:02:40 EST
I'm sorry for not addressing the issue in RHEL-4. As cyrus-imapd
is not scheduled for update in RHEL-4.9, I'm closing that bugzilla WONTFIX. If
you are still experiencing the issue with RHEL-5, feel free to reopen it
against RHEL-5.

Note You need to log in before you can comment on or make changes to this bug.