75 messages in net.sourceforge.lists.courier-users[courier-users] Re: webmail doesn't l...| From | Sent On | Attachments |
|---|---|---|
| M.B. | Feb 15, 2002 8:25 pm | |
| Sam Varshavchik | Feb 15, 2002 9:00 pm | |
| Juha Saarinen | Feb 15, 2002 9:13 pm | |
| M.B. | Feb 16, 2002 12:37 am | |
| M.B. | Feb 16, 2002 12:51 am | |
| Juha Saarinen | Feb 16, 2002 1:34 am | |
| M.B. | Feb 16, 2002 1:37 am | |
| Juha Saarinen | Feb 16, 2002 1:41 am | |
| M.B. | Feb 16, 2002 2:28 am | |
| M.B. | Feb 16, 2002 2:30 am | |
| Sam Varshavchik | Feb 16, 2002 6:38 am | |
| William Rowden | Feb 16, 2002 9:31 am | |
| M.B. | Feb 16, 2002 4:05 pm | |
| Sam Varshavchik | Feb 16, 2002 4:39 pm | |
| M.B. | Feb 16, 2002 7:11 pm | |
| M.B. | Feb 16, 2002 7:29 pm | |
| Tucker | Feb 16, 2002 7:42 pm | |
| Sam Varshavchik | Feb 16, 2002 7:49 pm | |
| M.B. | Feb 16, 2002 7:55 pm | |
| M.B. | Feb 16, 2002 7:57 pm | |
| Sam Varshavchik | Feb 16, 2002 8:06 pm | |
| M.B. | Feb 17, 2002 8:57 am | |
| M.B. | Feb 17, 2002 9:02 am | |
| M.B. | Feb 17, 2002 10:23 am | |
| Sam Varshavchik | Feb 17, 2002 12:32 pm | |
| M.B. | Feb 17, 2002 3:23 pm | |
| M.B. | Feb 17, 2002 3:53 pm | |
| M.B. | Feb 17, 2002 7:53 pm | |
| Juha Saarinen | Feb 17, 2002 8:09 pm | |
| M.B. | Feb 17, 2002 8:28 pm | |
| M.B. | Feb 17, 2002 8:44 pm | |
| David M. Stowell | Feb 17, 2002 9:07 pm | |
| Sam Varshavchik | Feb 17, 2002 9:19 pm | |
| Juha Saarinen | Feb 17, 2002 10:21 pm | |
| Juha Saarinen | Feb 17, 2002 10:24 pm | |
| David M. Stowell | Feb 17, 2002 10:29 pm | |
| David M. Stowell | Feb 17, 2002 10:32 pm | |
| M.B. | Feb 17, 2002 11:17 pm | |
| M.B. | Feb 17, 2002 11:22 pm | |
| M.B. | Feb 18, 2002 12:53 am | |
| Sysop | Feb 18, 2002 8:28 am | |
| William Rowden | Feb 18, 2002 11:34 am | |
| M.B. | Feb 18, 2002 3:42 pm | |
| David M. Stowell | Feb 18, 2002 4:49 pm | |
| M.B. | Feb 18, 2002 5:15 pm | |
| David M. Stowell | Feb 18, 2002 5:26 pm | |
| M.B. | Feb 18, 2002 7:21 pm | |
| David M. Stowell | Feb 18, 2002 7:45 pm | |
| Juha Saarinen | Feb 18, 2002 8:09 pm | |
| Sam Varshavchik | Feb 18, 2002 8:41 pm | |
| marc lindahl | Feb 20, 2002 12:19 am | |
| marc lindahl | Feb 22, 2002 6:16 am | |
| Anand Buddhdev | Feb 22, 2002 6:28 am | |
| marc lindahl | Feb 22, 2002 8:23 am | |
| marc lindahl | Feb 22, 2002 8:44 am | |
| Juha Saarinen | Feb 22, 2002 11:36 am | |
| M.B. | Feb 23, 2002 11:55 pm | |
| Jan Lange | Feb 24, 2002 5:06 am | |
| marc lindahl | Feb 24, 2002 10:10 am | |
| marc lindahl | Feb 24, 2002 10:16 am | |
| marc lindahl | Feb 24, 2002 1:38 pm | |
| Sam Varshavchik | Feb 24, 2002 1:46 pm | |
| Anand Buddhdev | Feb 24, 2002 2:07 pm | |
| marc lindahl | Feb 24, 2002 2:31 pm | |
| Sam Varshavchik | Feb 24, 2002 2:45 pm | |
| Juha Saarinen | Feb 24, 2002 2:53 pm | |
| marc lindahl | Feb 24, 2002 2:59 pm | |
| Anand Buddhdev | Feb 24, 2002 5:40 pm | |
| marc lindahl | Feb 24, 2002 6:13 pm | |
| Francois PHILIPPO | Feb 24, 2002 11:59 pm | |
| Sam Varshavchik | Feb 25, 2002 4:35 am | |
| Robert L Mathews | Feb 25, 2002 12:03 pm | |
| marc lindahl | Feb 25, 2002 2:14 pm | |
| Robert L Mathews | Feb 25, 2002 3:23 pm | |
| marc lindahl | Mar 4, 2002 3:11 am |
| Subject: | [courier-users] Re: webmail doesn't like asterisk in password? | |
|---|---|---|
| From: | Robert L Mathews (lis...@tigertech.com) | |
| Date: | Feb 25, 2002 12:03:53 pm | |
| List: | net.sourceforge.lists.courier-users | |
At 2/24/02 12:00 PM, marc lindahl wrote:
I found a function called badstr() in auth.c - it looks like it's being used to qualify both the username in verifyuid() and username and password in login() and login_changepwd().
This issue came up on the sqwebmail users list a couple of weeks ago. I did some fairly extensive research into it.
The badstr() function checks for shell characters in the password in two cases: when the user logs in, and when the user is changing the password.
I traced through the code and verified to my own satisfaction that the password can never be passed to the shell in the first case (user login). Therefore, I disabled the badstr() check in that case, and users can now login with their funky passwords.
The second case (user changing password) is NOT safe to disable, as the password may be passed to the shell by password-changing modules. I left the badstr() check in place there. (In my case, this didn't matter, as I don't allow users to change their passwords via sqwebmail anyway.)
This was all on version 3.2; it's theoretically possible things have changed in 3.3.1.
Hope this helps.
-- Robert L Mathews, Tiger Technologies
"The trouble with doing something right the first time is that nobody appreciates how difficult it was."