0000433: Obtain imap password from authorization header in proxy auth mode - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0000433	SOGo	Web Mail	public	2010-02-16 15:19	2010-04-12 21:25

Reporter	luca	Assigned To	~~wsourdeau~~
Priority	normal	Severity	feature	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	nightly v2
Target Version	1.2.2	Fixed in Version	1.2.2

Summary	0000433: Obtain imap password from authorization header in proxy auth mode
Description	I casually discovered that if you are using basic authentication with SOGoTrustProxyAuthentication=YES and don't set x-webobject-remote-user, SOGo will derive the username from the Authorization header. The attached patch recovers the password so that SOGo can login to the imap server.
Tags	No tags attached.

2010-02-16 15:19	sogo-proxyauth-password.patch (1,749 bytes) diff --unified --recursive SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.h SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.h --- SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.h 2010-02-08 21:39:16.000000000 +0100 +++ SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.h 2010-02-09 09:23:26.000000000 +0100 @@ -40,8 +40,8 @@ @class SOGoUser; -// @interface SOGoProxyAuthenticator : SoHTTPAuthenticator <SOGoAuthenticator> -@interface SOGoProxyAuthenticator : NSObject <SOGoAuthenticator> +@interface SOGoProxyAuthenticator : SoHTTPAuthenticator <SOGoAuthenticator> +// @interface SOGoProxyAuthenticator : NSObject <SOGoAuthenticator> + (id) sharedSOGoProxyAuthenticator; diff --unified --recursive SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.m SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.m --- SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.m 2010-02-08 21:39:16.000000000 +0100 +++ SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.m 2010-02-09 09:25:21.000000000 +0100 @@ -100,14 +100,26 @@ - (NSString ) passwordInContext: (WOContext ) context { - return @""; + NSString auth, password; + NSArray creds; + + password = nil; + auth = [[context request] headerForKey: @"authorization"]; + if (auth) + { + creds = [self parseCredentials: auth]; + if ([creds count] > 1) + password = [creds objectAtIndex: 1]; + } + + return password; } - (NSString ) imapPasswordInContext: (WOContext ) context forServer: (NSString ) imapServer forceRenew: (BOOL) renew { - return (renew ? nil : @""); + return [self passwordInContext: context]; } - (WOResponse ) preprocessCredentialsInContext: (WOContext ) context sogo-proxyauth-password.patch (1,749 bytes)

~~wsourdeau~~ 2010-04-07 17:56 viewer ~0000883	Why are you using the proxy authenticator rather than the regular one? What is the use case here?

luca 2010-04-08 06:54 reporter ~0000896	Because it works? Access to our intranet from the outside is protected by basic auth, all other services that need authorization (i.e., squirrelmail) get the credentials from the basic auth headers, and sogo apparently works with it too (please don't remove the feature). Basic auth contains the username and the password, so it's possible to extract the password to login to the imap server.

~~wsourdeau~~ 2010-04-12 21:25 viewer ~0000930	Fixed in 2480fdc1f3b38f823b4837afc37bd69832ad93be. I have used a slightly different method: the subclassing from SoHTTPAuthenticator is avoided. I don't remember if there was a reason for that but I preferred to be conservative. Also, it's important that the imapPasswordInContext:forServer:forceRenew: returns nil when renew is YES.

Date Modified	Username	Field	Change
2010-02-16 15:19	luca	New Issue
2010-02-16 15:19	luca	File Added: sogo-proxyauth-password.patch
2010-02-23 14:18	ludovic	Target Version	=> 1.2.2
2010-04-07 17:56	~~wsourdeau~~	Note Added: 0000883
2010-04-08 06:54	luca	Note Added: 0000896
2010-04-12 21:25	~~wsourdeau~~	Note Added: 0000930
2010-04-12 21:25	~~wsourdeau~~	Status	new => resolved
2010-04-12 21:25	~~wsourdeau~~	Fixed in Version	=> 1.2.2
2010-04-12 21:25	~~wsourdeau~~	Resolution	open => fixed
2010-04-12 21:25	~~wsourdeau~~	Assigned To	=> wsourdeau