You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Niko Usai (Jira)" <se...@james.apache.org> on 2022/12/12 15:35:00 UTC
[jira] [Created] (JAMES-3868) Cannot handle IMAP PLAIN login with password longer than 255 char
Niko Usai created JAMES-3868:
--------------------------------
Summary: Cannot handle IMAP PLAIN login with password longer than 255 char
Key: JAMES-3868
URL: https://issues.apache.org/jira/browse/JAMES-3868
Project: James Server
Issue Type: Bug
Affects Versions: 3.6.0
Reporter: Niko Usai
There is a bug, in my opinion, in how `AuthenticateProcessor` handles PLAIN login omitting authorization identity.
The fact is when authorization identity is blank the password field is parsed with Username.of() that has the 255 char limitation, and it expects to raise an exception when looking for the 3rd missing argument, where the password should be, which has not this limitation.
These leads to an "IllegalArgumentException" of the Username class creating an invalid AuthenticationAttempt.
{code:java}
String userpass = new String(Base64.getDecoder().decode(initialClientResponse));
StringTokenizer authTokenizer = new StringTokenizer(userpass, "\0");
String token1 = authTokenizer.nextToken(); // Authorization Identity
token2 = authTokenizer.nextToken(); // Authentication Identity
try {
return delegation(Username.of(token1), Username.of(token2), authTokenizer.nextToken());
} catch (java.util.NoSuchElementException ignored) {
// If we got here, this is what happened. RFC 2595
// says that "the client may leave the authorization {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org