On 4/6/07, Sam Varshavchik <mrs...@courier-mta.com> wrote:
Matt Cornell writes:
Now; 'there is an arbitrary filter that has nothing to do with
authentication and violates RFC2822 ' would be much more informative. Or
Even more informative would be "an arbitrary filter that prevents lame SQL
injection attacks".
There you go! This had the chance of being unintentionally helpful. It
hadn't occurred to me that it could be a feature to protect against an
injection exploit.
In the interest of giving this a cursory thought I remember that In the
elusive details of my first email I had mentioned that the authentication
module part of the exchange worked as it should... which means that the part
that interacts with SQL already washes it's input correctly.
Which brings us back to the 'arbitrary' part of the above statement. Since
it obviously doesn't prohibit the sql query from happening at least once in
order to authenticate then it's some whimsically protection. Shouldn't
anything related to sql just be the responsibility of the authentication
module. Sqwebmail should only need to know "Is this a valid user?" and
"Where are the files?". I guess there could be a problem at the filesystem
level if username value wasn't interpreted correctly or something.
Thanks again for taking the time to respond.
5 messages in net.sourceforge.lists.courier-sqwebmailRe: [sqwebmail] No authentication for...
