On Tue, 20 Nov 2007, Gerrit E.G. Hobbelt wrote:
> Hi,
>
> While hunting down another issue (to be posted shortly), I ran into this
> one. Shouldn't the '&&' be replaced with a '||' for security reasons in
> error situations? Otherwise error situations in [ONLY] ONE of the calls
> (due to wrong setup or other gimmicks) would INCORRECTLY and UNDESIRABLY
> mark the client as authenticated. (i.e. a [minor/micro? ;-) ] security
> hole.)
No, it is as designed. It needs to check *both* authentications.
Please stop spreading FUD about security holes.
>
> Best regards,
>
> Ger
>
>
> Diff shown below for inspection:
>
> x--- ../../1original/xmail/SMTPSvr.cpp 2007-11-02 01:34:32.000000000
> +0100
> +++ ./SMTPSvr.cpp 2007-11-20 02:03:53.000000000 +0100
> @@ -2791,7 +2819,7 @@
> szPassword, NULL, NULL)) < 0)
> return ErrGetErrorCode();
> else if (iError == 0) {
> - if (SMTPTryApplyLocalAuth(SMTPS, szUsername, szPassword) < 0 &&
> + if (SMTPTryApplyLocalAuth(SMTPS, szUsername, szPassword) < 0 ||
> /* [i_a] config failure ==> auth error to prevent security breach! */
> SMTPTryApplyUsrPwdAuth(SMTPS, szUsername, szPassword) < 0) {
> ErrorPush();
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe xmail" in
> the body of a message to [EMAIL PROTECTED]
> For general help: send the line "help" in the body of a message to
> [EMAIL PROTECTED]
>
- Davide
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
