Dear all,
Over the weekend I have been pushing some changes to the SASL authentication in IMAP, POP3 and SMTP that I have wanted to do for a long time - it is currently in the TODO docs and hopefully I will remove it shortly ;-) Previously if anything went wrong with any challenge type message received from the server, and by that I mean for example: the DIGEST-MD5 parameters given by the server weren't what we were expecting or the NTLM message decoding failed, then we simply issued a log off command, gave up and returned an appropriate error code such as CURLE_LOGIN_DENIED. What I have done for phase one, is handled any errors gracefully by sending the "*" response back to the server, this instructs the server to cancel our log in attempt and return to the authentication state. From there we have two options, we can either safely log off and return an appropriate error code such as CURLE_LOGIN_DENIED (which is what I've currently implemented) or possibly try another authentication mechanism (which is what I would like to implement for phrase two). Anyway, that's the background. What I noticed whilst I was doing this is that we, currently, don't perform any validation against the base64 strings that we receive from a server. My understanding is that a base64 string: * Should be multiple of 4 characters * Can have up to 2 padding characters "=" at the end For example: If we were to encode the word "curl" it generates "Y3VybA==" which as you can see is 8 characters long and has the two padding characters at the end. My question is should we be performing validation as we attempt to decode the strings, is it safer to do this or is attempting to decode as much as possible as we do now the better way to go? Now I must admit I don't know too much about base64 encoding / decoding but I noticed some of the base64 decoders that I use on the web validate the input [1] whilst others don't: * One if you miss of the two =s off will return the decoded string as "cur" and if you miss off one it returns "curl" with an unprintable character after it [2] * Whilst another, returns "curl" regardless of whether the input is 6, 7 or 8 characters [3] Cheers in advance Kind Regards Steve [1] = http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ [2] = http://www.motobit.com/util/base64-decoder-encoder.asp [3] = http://www.base64decode.org/
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
