Mark Constable wrote:
>
> This might be useful to someone, or the list archive...
>
> % cat /etc/courier/authProg
> #!/bin/bash
...
> # Handle the SQL queries, change parameters to suit, separator = <tab>.
>
> dosql () {
> echo "$1;"|/usr/bin/sqlite3 -separator ' ' /home/a/admin.sqlite
> }
What happens when you're processing "PASSWD", and someone used a quote
in their password? You're not checking input anywhere in this script to
make sure it's safe to pass to the SQL shell, which is bad.
> # Get the unique first 3 chars representing what incoming authdaemon
> # API functionality is needed. Will be one of PRE, AUT, PAS or ENU.
>
> TOKEN=$(echo "$TMPIN"|/usr/bin/cut -c -3)
Why not get the first word, instead, and then use a "case" statement
instead of a series of if/elif tests?
You don't even need awk for this sort of thing...
case ${TMPIN% *} in
PRE) ;;
AUTH) ;;
PASSWD) ;;
ENUMERATE) ;;
esac
> if [ "x$TOKEN" = "xPRE" ]; then
>
> # PRE . authservice username<newline>
> #
> # Look up data for an account. authservice identifies the service the
> # user is trying to use - e.g. pop3, imap, webmail etc. If the account
> # exists, return the account data as a series of ATTR=value
> # newline-terminated lines, followed by a period on a line of its own.
>
> ID=$(echo $TMPIN|/usr/bin/awk '{print $4}')
Bash is slow enough without calling awk all the time. :)
read CMD DOT SERVICE ID <<< "$TEMPIN"
> # AUTH len<newline>len-bytes
> #
> # Validate a login attempt. The AUTH line is followed by len-bytes of
> # authentication data, which does not necessarily end with a newline.
>
> read A # throwaway
> read B # throwaway
> read ID
> read PW
That won't work when there's no newline. That sort of problem is easier
to fix when you're not using bash. Input validation probably is, too.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
