rfc4314 seems to specifically disallow empty identifiers. Also, I
think you patch would probably permit an identifier of "-". BTW, I
have a patch to this code that I'm currently holding, which
introduces a leading "+" to identifiers. It's for the case of
XFERing mailboxes with invalid ACLs, i.e., a leading "+" means permit
canonicalization to fail. Speaking of canonicalization, I wonder
that the canonicalization routines would allow empty IDs... looks
like auth_krb5.c:mycanonifyid() probably wouldn't, and
auth_unix.c:mycanonifyid() used to but now doesn't. Perhaps the
problem is this:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/cyrus/lib/
auth_unix.c.diff?r1=1.37;r2=1.38
Removing those lines allows canonicalization of zero length IDs.
Can't be a good thing, even outside of ACLs.
:wes
On 03 Feb 2009, at 09:27, Thomas Jarosch wrote:
attached is a small patch for discussion. It prevents "setacl"
for empty indentifiers.
If I read RFC 2086 correctly, empty identifiers seem to be allowed
(an oversight?), but most clients won't be able to handle this ACL
and there is also the question if there is a valid use case for this?
We just had two cases of users shooting themselves in the foot...
