Hi,
While hunting down another issue (to be posted shortly), I ran into this
one. Shouldn't the '&&' be replaced with a '||' for security reasons in
error situations? Otherwise error situations in [ONLY] ONE of the calls
(due to wrong setup or other gimmicks) would INCORRECTLY and UNDESIRABLY
mark the client as authenticated. (i.e. a [minor/micro? ;-) ] security
hole.)
Best regards,
Ger
Diff shown below for inspection:
x--- ../../1original/xmail/SMTPSvr.cpp 2007-11-02 01:34:32.000000000 +0100
+++ ./SMTPSvr.cpp 2007-11-20 02:03:53.000000000 +0100
@@ -2791,7 +2819,7 @@
szPassword, NULL, NULL)) < 0)
return ErrGetErrorCode();
else if (iError == 0) {
- if (SMTPTryApplyLocalAuth(SMTPS, szUsername, szPassword) < 0 &&
+ if (SMTPTryApplyLocalAuth(SMTPS, szUsername, szPassword) < 0 ||
/* [i_a] config failure ==> auth error to prevent security breach! */
SMTPTryApplyUsrPwdAuth(SMTPS, szUsername, szPassword) < 0) {
ErrorPush();
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
