Hi Wes,
rfc4314 seems to specifically disallow empty identifiers. Also, I think
you patch would probably permit an identifier of "-".
The check is done after the "-" handling so it should take care of it.
BTW, I have a patch to this code that I'm currently holding, which introduces a
leading "+" to identifiers. It's for the case of XFERing mailboxes with
invalid ACLs, i.e., a leading "+" means permit canonicalization to
fail. Speaking of canonicalization, I wonder that the canonicalization
routines would allow empty IDs... looks like auth_krb5.c:mycanonifyid()
probably wouldn't, and auth_unix.c:mycanonifyid() used to but now
doesn't. Perhaps the problem is this:
https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/cyrus/lib/auth_unix.c.diff?r1=1.37;r2=1.38
Removing those lines allows canonicalization of zero length IDs. Can't
be a good thing, even outside of ACLs.
Good catch. I'm wondering why that code in auth_unix.c was changed at all?
There must be a valid use case (?) to it.
How do we go from here? Once we agree on a patch(set),
I could open a bug report, if that helps any.
Cheers,
Thomas
