On Fri, 27 Dec 2024 22:52:04 +0100,
Stuart Henderson <stu@spacehopper.org> wrote:
>
> On 2024/12/27 20:57, Kirill A. Korinsky wrote:
> > On Fri, 27 Dec 2024 20:45:18 +0100,
> > Stuart Henderson <stu@spacehopper.org> wrote:
> > >
> > > On 2024/12/27 18:56, Klemens Nanni wrote:
> > > > 26.12.2024 16:00, Kirill A. Korinsky пишет:
> > > > > I'm using this for more than a month and quite happy with this.
> > > > >
> > > > > I also made small investigation to prove that it is under GPLv2+ as
> > > > > dereveative of GPLv2+ code, so we can package and distribute it.
> > > >
> > > > Port-wise trivial, OK kn
> > > >
> > > > I don't run any of this, so haven't tested it myself.
> > > >
> > > > I'd spell out RUN_DEPENDS, though, rather than including ${BUILD_DEPENDS}.
> > >
> > > RUN_DEPENDS=${BUILD_DEPENDS} would be a bad way to silently drag
> > > hidden BDEPs in as RDRPs, but the p5-Authen-SASL port has it the
> > > othwr way round, which is ok:
> > >
> > > BUILD_DEPENDS = ${RUN_DEPENDS}
> > > RUN_DEPENDS = security/p5-Authen-SASL
> > >
> > > Typo: s/migth/might/ in security/ejabberd-dovecot-auth/pkg/README.
> > >
> >
> > I think that use two times the same dependency as KLemens suggested is
> > cleaner way. So, here an updated version.
> >
> > Ok to import?
>
> ok,
>
> regarding the filtering -
>
> I see the problem for user_dovecot (and sort-of for logs, though
> if anything parsing logs is susceptible to shell chars you have bigger
> problems ;)
>
> for auth_dovecot, the password and username are b64-encoded. for
> simplicity/sanity I think you want the same filtering on username as
> for user_dovecot. but for the password, I think you only have \0 to
> worry about?
>
Here an updated .tgz where I made things cleaner, I think:
1. dovect requires to escape \00, \01, \t, \r and \n by adding \01;
2. base64 encoded password should be sent as is;
3. escaping is moved to Authd.pm where it should be.
Ok?
--
wbr, Kirill
No comments:
Post a Comment