View Issue Details

IDProjectCategoryView StatusLast Update
0001382SOGoWeb Mailpublic2011-12-30 20:03
Reporterdoma Assigned Toludovic  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.7 
Target Version1.3.12Fixed in Version1.3.12 
Summary0001382: The user password with non-alphanumeric characters is modified at IMAP connections
Description

If the user password contains non-alphanumeric characters, Sogo authenticates the user with success at the connection but it sends a bad password to the imap server and so, the user get a blank page for its mail (Authentication Failure on the imap server).
For example, if the password is "toto*11", Sogo sends "toto\*11" to the imap server !

TagsNo tags attached.

Activities

gienger

gienger

2011-07-19 06:30

reporter   ~0002721

Should'nt it be {8} toto*11? :D

Perhaps it would be a nice idea to implement some better login algorithm for IMAP instead of the old "A001 LOGIN user pass". AUTHENTICATE PLAIN would be such a candidate (through an SSL connection, sure).

pwyman

pwyman

2011-08-19 23:03

reporter   ~0002813

I'm seeing this behavior as well with version 1.3.8b and 1.3.8a.
The issue is apparent in Wireshark captures.
The special characters in the IMAP password look as though they are being needlessly escaped with slashes.

pwyman

pwyman

2011-09-02 21:49

reporter   ~0002840

I've found the cause of this.
Not sure if for some mailservers escaping these characters in the password is really needed.

In the SOPE-1.3.8 source tree, in sope-mime/NGImap4/NGImap4Client.m

on line 542 :

self->password = [[_passwd stringByEscapingImap4Password] copy];

you can either replace this with :

self->password = [_passwd copy];

or, you can edit sope-mime/NGImap4/NSString+Imap4.m

and comment out the characters you don't want escaped starting on line 269 :

  else switch (chars[i]) {
    //case '(':
    //case ')':
    //case '{':
    //case ' ':
    //case '%':
    //case '*':
    case '"':
    //case '\\':
      conv = YES;
      break;
  }

VIOLA!

Not sure what the security/stability side effects these changes have, but it did make it so the * in my IMAP password didn't make my mail folders not be displayed.

buzzdee

buzzdee

2011-09-03 15:24

reporter   ~0002841

I've seen the same, or sth. similar with opengroupware, there I recognized the problem with umlauts in the password. The relevant bug entry is here: http://sourceforge.net/apps/mantisbt/opengroupware/view.php?id=66

ludovic

ludovic

2011-12-30 20:03

administrator   ~0003243

Fixed properly - using IMAP4's continuation.

See: http://mtn.inverse.ca/revision/diff/00e41d1f78647ab913b68bad93535f9554a94aaf/with/a2112c6513358c1ff28c2f936a00c3fe72723427

Issue History

Date Modified Username Field Change
2011-07-18 11:50 doma New Issue
2011-07-19 06:30 gienger Note Added: 0002721
2011-08-19 23:03 pwyman Note Added: 0002813
2011-09-02 21:49 pwyman Note Added: 0002840
2011-09-03 15:24 buzzdee Note Added: 0002841
2011-11-10 00:42 ludovic Target Version => 1.3.10
2011-11-18 18:32 ludovic Target Version 1.3.10 => 1.3.11
2011-12-12 17:36 francis Target Version 1.3.11 => 1.3.12
2011-12-30 20:03 ludovic Note Added: 0003243
2011-12-30 20:03 ludovic Status new => resolved
2011-12-30 20:03 ludovic Fixed in Version => 1.3.12
2011-12-30 20:03 ludovic Resolution open => fixed
2011-12-30 20:03 ludovic Assigned To => ludovic