[Twisted-Python] PLAINAuthenticator in twisted.mail.imap4

Kevin Horn kevin.horn at gmail.com
Wed Jul 29 01:54:20 EDT 2009


I was digging through the Twisted IMAP code tonight and I noticed something
puzzling...

PLAINAuthenticator.challengeResponse() uses the following statement to send
auth credentials to the server

        return '%s\0%s\0' % (self.user, secret)

which would give auth credentials of the form:

        authid<NUL>password<NUL>

        (where <NUL> is the NUL character)

However, both RFC2595 and RFC4616 (both define the PLAIN SASL mechanism),
say that credentials should be passed this way:

        [authzid]<NUL>authnid<NUL>password

        (where <NUL> is the NUL character and [authzid] is optional)

Now even if one was to leave the authzid out of the equation, you would end
up with something like this:

        <NUL>authnid<NUL>password

and the version Twisted's IMAP code uses appears to be invalid.

Am I crazy?
Am I missing something?
Is it just way too late and I should put the RFCs down and back away slowly?

Kevin Horn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20090729/881af7b5/attachment.htm 


More information about the Twisted-Python mailing list