At 2/24/02 12:00 PM, marc lindahl wrote: >I found a function called badstr() in auth.c - it looks like it's being used >to qualify both the username in verifyuid() and username and password in >login() and login_changepwd().
This issue came up on the sqwebmail users list a couple of weeks ago. I did some fairly extensive research into it. The badstr() function checks for shell characters in the password in two cases: when the user logs in, and when the user is changing the password. I traced through the code and verified to my own satisfaction that the password can never be passed to the shell in the first case (user login). Therefore, I disabled the badstr() check in that case, and users can now login with their funky passwords. The second case (user changing password) is NOT safe to disable, as the password may be passed to the shell by password-changing modules. I left the badstr() check in place there. (In my case, this didn't matter, as I don't allow users to change their passwords via sqwebmail anyway.) This was all on version 3.2; it's theoretically possible things have changed in 3.3.1. Hope this helps. -- Robert L Mathews, Tiger Technologies "The trouble with doing something right the first time is that nobody appreciates how difficult it was." _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
