Re: Security vulnerability in APOP authentication
Rocco Rutte <pdmef@xxxxxxx> writes:
> APOP IMHO should never be considered a secure way of authentication,
> it's just more secure than sending plain passwords over the wire. But
> yes, since the RfC says the "timestamp" must be syntacially valid
> message-id and mutt doesn't check it, there's some room of improvement.
I've just added rfc822valid.c to fetchmail's SVN[1] (GNU GPL),
which is a dangerously dedicated hand-written RD-parser to validate a
token (const unsigned char *) against rfc-822's msg-id syntax and
returns 0 for invalid and 1 for valid.
It doesn't handle NUL characters yet, since fetchmail stomps over them
anyways when downloading from the net. If NUL-proofing is desirable, we
need to extend the API by a length argument and revise some functions.
Feel free to adapt this stuff to mutt (and feed back improvements and
fixes if you don't mind :-)).
[1] http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/rfc822valid.c
Comments solicited.
--
Matthias Andree