tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix Courier ACL

Browse Source 
Replaced blacklisting approach with a whitelisting on, thus preventing access
due to responses from authlib not containing the word 'FAIL', e.g. empty ones
(see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto)
This commit is contained in:
Benjamin Frank 2012-07-02 13:30:28 +02:00 committed by Guillaume Ayoub
parent ea94ec919e
commit 03fc5fc526
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
radicale/acl/courier.py
View File

@ -36,7 +36,7 @@ def has_right(owner, user, password):
return False return False
line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password) line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
line = "%i\n%s" % (len(line), line) line = "AUTH %i\n%s" % (len(line), line)
try: try:
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect(COURIER_SOCKET) sock.connect(COURIER_SOCKET)
@ -51,7 +51,13 @@ def has_right(owner, user, password):
log.LOGGER.debug("Got Courier socket response: %r" % data) log.LOGGER.debug("Got Courier socket response: %r" % data)
if repr(data) == "FAIL": # Address, HOME, GID, and either UID or USERNAME are mandatory in resposne
return False # see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
for line in data.split():
if 'GID' in line:
return True return True
# default is reject
# this alleviates the problem of a possibly empty reply from courier authlib
# see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
return False