You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2022/12/30 02:04:00 UTC

[jira] [Closed] (JAMES-3868) Cannot handle IMAP PLAIN login with password longer than 255 char

     [ https://issues.apache.org/jira/browse/JAMES-3868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Benoit Tellier closed JAMES-3868.
---------------------------------
    Fix Version/s: 3.8.0
       Resolution: Fixed

> Cannot handle IMAP PLAIN login with password longer than 255 char
> -----------------------------------------------------------------
>
>                 Key: JAMES-3868
>                 URL: https://issues.apache.org/jira/browse/JAMES-3868
>             Project: James Server
>          Issue Type: Bug
>    Affects Versions: 3.6.0
>            Reporter: Niko Usai
>            Priority: Critical
>             Fix For: 3.8.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> There is a bug, in my opinion, in how `AuthenticateProcessor` handles PLAIN login omitting authorization identity.
> The fact is when authorization identity is blank the password field is parsed with Username.of() that has the 255 char limitation, and it expects to raise an exception when looking for the 3rd missing argument, where the password should be, which has not this limitation.
> These leads to an "IllegalArgumentException" of the Username class creating an invalid AuthenticationAttempt.
> {code:java}
> String userpass = new String(Base64.getDecoder().decode(initialClientResponse));
> StringTokenizer authTokenizer = new StringTokenizer(userpass, "\0");
> String token1 = authTokenizer.nextToken();  // Authorization Identity
> token2 = authTokenizer.nextToken();                 // Authentication Identity
> try {
>     return delegation(Username.of(token1), Username.of(token2), authTokenizer.nextToken());
> } catch (java.util.NoSuchElementException ignored) {
>     // If we got here, this is what happened.  RFC 2595
>     // says that "the client may leave the authorization {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org