Niko Usai created JAMES-3868:
--------------------------------
Summary: Cannot handle IMAP PLAIN login with password longer than
255 char
Key: JAMES-3868
URL: https://issues.apache.org/jira/browse/JAMES-3868
Project: James Server
Issue Type: Bug
Affects Versions: 3.6.0
Reporter: Niko Usai
There is a bug, in my opinion, in how `AuthenticateProcessor` handles PLAIN
login omitting authorization identity.
The fact is when authorization identity is blank the password field is parsed
with Username.of() that has the 255 char limitation, and it expects to raise an
exception when looking for the 3rd missing argument, where the password should
be, which has not this limitation.
These leads to an "IllegalArgumentException" of the Username class creating an
invalid AuthenticationAttempt.
{code:java}
String userpass = new String(Base64.getDecoder().decode(initialClientResponse));
StringTokenizer authTokenizer = new StringTokenizer(userpass, "\0");
String token1 = authTokenizer.nextToken(); // Authorization Identity
token2 = authTokenizer.nextToken(); // Authentication Identity
try {
return delegation(Username.of(token1), Username.of(token2),
authTokenizer.nextToken());
} catch (java.util.NoSuchElementException ignored) {
// If we got here, this is what happened. RFC 2595
// says that "the client may leave the authorization {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
