[Twisted-Python] PLAINAuthenticator in twisted.mail.imap4
Jean-Paul Calderone
exarkun at divmod.com
Wed Jul 29 05:29:33 MDT 2009
On Wed, 29 Jul 2009 00:54:20 -0500, Kevin Horn <kevin.horn at gmail.com> wrote:
>I was digging through the Twisted IMAP code tonight and I noticed something
>puzzling...
>
>PLAINAuthenticator.challengeResponse() uses the following statement to send
>auth credentials to the server
>
> return '%s\0%s\0' % (self.user, secret)
>
>which would give auth credentials of the form:
>
> authid<NUL>password<NUL>
>
> (where <NUL> is the NUL character)
>
>However, both RFC2595 and RFC4616 (both define the PLAIN SASL mechanism),
>say that credentials should be passed this way:
>
> [authzid]<NUL>authnid<NUL>password
>
> (where <NUL> is the NUL character and [authzid] is optional)
>
>Now even if one was to leave the authzid out of the equation, you would end
>up with something like this:
>
> <NUL>authnid<NUL>password
>
>and the version Twisted's IMAP code uses appears to be invalid.
>
>Am I crazy?
>Am I missing something?
>Is it just way too late and I should put the RFCs down and back away slowly?
My early morning reading of the RFC agrees with yours. Someone else brought
this up a long time ago, I think, but never pointed out the RFC.
Can you file a ticket?
Jean-Paul
More information about the Twisted-Python
mailing list