[Twisted-Python] PLAINAuthenticator in twisted.mail.imap4
Kevin Horn
kevin.horn at gmail.com
Wed Jul 29 09:51:01 MDT 2009
On Wed, Jul 29, 2009 at 6:29 AM, Jean-Paul Calderone <exarkun at divmod.com>wrote:
> On Wed, 29 Jul 2009 00:54:20 -0500, Kevin Horn <kevin.horn at gmail.com>
> wrote:
> >I was digging through the Twisted IMAP code tonight and I noticed
> something
> >puzzling...
> >
> >PLAINAuthenticator.challengeResponse() uses the following statement to
> send
> >auth credentials to the server
> >
> > return '%s\0%s\0' % (self.user, secret)
> >
> >which would give auth credentials of the form:
> >
> > authid<NUL>password<NUL>
> >
> > (where <NUL> is the NUL character)
> >
> >However, both RFC2595 and RFC4616 (both define the PLAIN SASL mechanism),
> >say that credentials should be passed this way:
> >
> > [authzid]<NUL>authnid<NUL>password
> >
> > (where <NUL> is the NUL character and [authzid] is optional)
> >
> >Now even if one was to leave the authzid out of the equation, you would
> end
> >up with something like this:
> >
> > <NUL>authnid<NUL>password
> >
> >and the version Twisted's IMAP code uses appears to be invalid.
> >
> >Am I crazy?
> >Am I missing something?
> >Is it just way too late and I should put the RFCs down and back away
> slowly?
>
> My early morning reading of the RFC agrees with yours. Someone else
> brought
> this up a long time ago, I think, but never pointed out the RFC.
>
> Can you file a ticket?
>
> Jean-Paul
>
>
At least I'm not crazy... :)
Ticket #3939 filed: http://twistedmatrix.com/trac/ticket/3939
also added a note in the ticket that PLAINCredentials may need to be
modified to match
Kevin Horn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20090729/c73a88f6/attachment.html>
More information about the Twisted-Python
mailing list