On Wed, Jul 29, 2009 at 10:51 AM, Kevin Horn <kevin.h...@gmail.com> wrote:
> On Wed, Jul 29, 2009 at 6:29 AM, Jean-Paul Calderone > <exar...@divmod.com>wrote: > >> On Wed, 29 Jul 2009 00:54:20 -0500, Kevin Horn <kevin.h...@gmail.com> >> wrote: >> >I was digging through the Twisted IMAP code tonight and I noticed >> something >> >puzzling... >> > >> >PLAINAuthenticator.challengeResponse() uses the following statement to >> send >> >auth credentials to the server >> > >> > return '%s\0%s\0' % (self.user, secret) >> > >> >which would give auth credentials of the form: >> > >> > authid<NUL>password<NUL> >> > >> > (where <NUL> is the NUL character) >> > >> >However, both RFC2595 and RFC4616 (both define the PLAIN SASL mechanism), >> >say that credentials should be passed this way: >> > >> > [authzid]<NUL>authnid<NUL>password >> > >> > (where <NUL> is the NUL character and [authzid] is optional) >> > >> >Now even if one was to leave the authzid out of the equation, you would >> end >> >up with something like this: >> > >> > <NUL>authnid<NUL>password >> > >> >and the version Twisted's IMAP code uses appears to be invalid. >> > >> >Am I crazy? >> >Am I missing something? >> >Is it just way too late and I should put the RFCs down and back away >> slowly? >> >> My early morning reading of the RFC agrees with yours. Someone else >> brought >> this up a long time ago, I think, but never pointed out the RFC. >> >> Can you file a ticket? >> >> Jean-Paul >> >> > > At least I'm not crazy... :) > > Ticket #3939 filed: http://twistedmatrix.com/trac/ticket/3939 > > also added a note in the ticket that PLAINCredentials may need to be > modified to match > > Kevin Horn > > > FYI, attached a patch to the ticket. I haven't really tested it, but if someone could take a look and let me know what they think I'd appreciate it. Kevin Horn
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
