From 03fc5fc5260aebba329914e025a5bdbc91df8163 Mon Sep 17 00:00:00 2001 From: Benjamin Frank Date: Mon, 2 Jul 2012 13:30:28 +0200 Subject: [PATCH] Fix Courier ACL Replaced blacklisting approach with a whitelisting on, thus preventing access due to responses from authlib not containing the word 'FAIL', e.g. empty ones (see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto) --- radicale/acl/courier.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/radicale/acl/courier.py b/radicale/acl/courier.py index c919aa0..1b1926f 100644 --- a/radicale/acl/courier.py +++ b/radicale/acl/courier.py @@ -36,7 +36,7 @@ def has_right(owner, user, password): return False line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password) - line = "%i\n%s" % (len(line), line) + line = "AUTH %i\n%s" % (len(line), line) try: sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect(COURIER_SOCKET) @@ -51,7 +51,13 @@ def has_right(owner, user, password): log.LOGGER.debug("Got Courier socket response: %r" % data) - if repr(data) == "FAIL": - return False + # Address, HOME, GID, and either UID or USERNAME are mandatory in resposne + # see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto + for line in data.split(): + if 'GID' in line: + return True - return True + # default is reject + # this alleviates the problem of a possibly empty reply from courier authlib + # see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto + return False