mail/dbmail/files/patch-0005-improve-crypt-authentication


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

From b4b82aca1dd1c8aece722b8370da02b715e4bb53 Mon Sep 17 00:00:00 2001
From: Paul J Stevens <p.stevens@lukkien.com>
Date: Wed, 10 Feb 2016 09:14:41 +0100
Subject: [PATCH 05/33] improve crypt authentication

also don't segfault when spasswd is empty
---
 src/dm_db.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git src/dm_db.c src/dm_db.c
index 313b33f..bfe9601 100644
--- src/dm_db.c
+++ src/dm_db.c
@@ -3687,6 +3687,10 @@ int db_user_validate(ClientBase_T *ci, const char *pwfield, uint64_t *user_idnr,
 		return t;
 	
 	if (! t) return FALSE;
+	if (! strlen(dbpass)) {
+		TRACE(TRACE_INFO, "Empty password for [%" PRIu64 "] in [%s]", *user_idnr, pwfield);
+	       	return FALSE;
+	}
 
 	if (SMATCH(encode, "")) {
 		TRACE(TRACE_DEBUG, "validating using plaintext passwords");
@@ -3699,7 +3703,8 @@ int db_user_validate(ClientBase_T *ci, const char *pwfield, uint64_t *user_idnr,
 
 	if (SMATCH(encode, "crypt")) {
 		TRACE(TRACE_DEBUG, "validating using crypt() encryption");
-		is_validated = (strcmp((const char *) crypt(password, dbpass), dbpass) == 0) ? 1 : 0;
+		strncpy(salt, dbpass, 2);
+		is_validated = (strcmp((const char *) crypt(password, salt), dbpass) == 0) ? 1 : 0;
 	} else if (SMATCH(encode, "md5")) {
 		/* get password */
 		if (strncmp(dbpass, "$1$", 3)) { // no match
-- 
2.10.1 (Apple Git-78)