[Twisted-Python] PLAINAuthenticator in twisted.mail.imap4

Kevin Horn kevin.horn at gmail.com
Wed Jul 29 12:55:54 EDT 2009 

On Wed, Jul 29, 2009 at 11:03 AM, Kevin Horn <kevin.horn at gmail.com> wrote:

> On Wed, Jul 29, 2009 at 10:51 AM, Kevin Horn <kevin.horn at gmail.com> wrote:
>
>> On Wed, Jul 29, 2009 at 6:29 AM, Jean-Paul Calderone <exarkun at divmod.com>wrote:
>>
>>> On Wed, 29 Jul 2009 00:54:20 -0500, Kevin Horn <kevin.horn at gmail.com>
>>> wrote:
>>> >I was digging through the Twisted IMAP code tonight and I noticed
>>> something
>>> >puzzling...
>>> >
>>> >PLAINAuthenticator.challengeResponse() uses the following statement to
>>> send
>>> >auth credentials to the server
>>> >
>>> >        return '%s\0%s\0' % (self.user, secret)
>>> >
>>> >which would give auth credentials of the form:
>>> >
>>> >        authid<NUL>password<NUL>
>>> >
>>> >        (where <NUL> is the NUL character)
>>> >
>>> >However, both RFC2595 and RFC4616 (both define the PLAIN SASL
>>> mechanism),
>>> >say that credentials should be passed this way:
>>> >
>>> >        [authzid]<NUL>authnid<NUL>password
>>> >
>>> >        (where <NUL> is the NUL character and [authzid] is optional)
>>> >
>>> >Now even if one was to leave the authzid out of the equation, you would
>>> end
>>> >up with something like this:
>>> >
>>> >        <NUL>authnid<NUL>password
>>> >
>>> >and the version Twisted's IMAP code uses appears to be invalid.
>>> >
>>> >Am I crazy?
>>> >Am I missing something?
>>> >Is it just way too late and I should put the RFCs down and back away
>>> slowly?
>>>
>>> My early morning reading of the RFC agrees with yours.  Someone else
>>> brought
>>> this up a long time ago, I think, but never pointed out the RFC.
>>>
>>> Can you file a ticket?
>>>
>>> Jean-Paul
>>>
>>>
>>
>> At least I'm not crazy... :)
>>
>> Ticket #3939 filed: http://twistedmatrix.com/trac/ticket/3939
>>
>> also added a note in the ticket that PLAINCredentials may need to be
>> modified to match
>>
>> Kevin Horn
>>
>>
>>
> FYI, attached a patch to the ticket. I haven't really tested it, but if
> someone could take a look and let me know what they think I'd appreciate it.
>
> Kevin Horn
>

Can anyone tell me what the recommended way to run the twisted test suite
against my trunk checkout is (on Win32)?  I can't seem to make it work.  I
just get a bunch of DeprecationWarnings and then a stack trace complaining
about not being able to remove my
_trial_temp directory...

Kevin Horn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20090729/1c5bda82/attachment.htm

More information about the Twisted-Python mailing list