Rémy Sanchez writes:
Hi,A few time ago I updated courier-authlib with the debian security update against the SQL injections. The problem now is that I have a lot of users that log in without a domain in their login id (I had to keep passwords from an old qmail :'(, and then the username to log in is not [email protected] but user-and-some-random-things ...). Before the update, it was working fine, but right now it seems that the queries looks more like :SELECT username, crypt, "", uid, gid, pop, "", quota, realname, "" FROM users WHERE username = 'remy@'The @ does not seem to be leaving. I've been looking quickly in the sources, and I've seen that the tests are still present in authmysqllib.c, but it does not looks like to be effective anymore...And by the way, I did not define any custom select query.Can anyone propose something that could solve this problem, or help me to debug it ? Some quick help would be appreciated, before I'm burned alive by my users/client...
Sounds like Debian's update introduced a bug. The quickest fix for you is to try define the login id field, in authmysqlrc, as "username || '@'" (or whatever is the appropriate syntax for MySQL.
pgpn0QkPrpBPM.pgp
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
