-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday, 07.12.2005 at 11:39 -0800, Paul Lesneiwski wrote:
> > Couldn't find anything totally specific to this in the archives,
> > although there are many references to issues people have had to problems
> > with vacation_local where users have 'special' characters in their
> > passwords.
> > Specifically, I have found that anyone with a space in their password
> > cannot use vacation_local: it fails silently and creates none of the
> > .vacation.msg etc. files in the user's home directory.
> > This appears to be because vac_init.php calls
> > squirrelmail_vacation_proxy with space-delimited parameters, e.g.
> > ./squirrelmail_vacation_proxy server username password action source
> > destination
> > If the password has a space, clearly the space-delimited parsing of that
> > command-line breaks down. Worse, it seems to silently fail, from the
> > Squirrelmail interface.
> > This is using squirrelmail in Debian Sarge (version 1.4.4-6sarge1) and
> > "Ver 2.0, 2005/04/14" of vacation_local.
> > I've 'fixed' this by asking users not to use spaces in their passwords!
> Sending you a development copy of the code offlist; the real fix should
> be made in the code of course. If you can reproduce it with the new
> code, please give any details you can from your logs -- where does it break?
I notice your development code doesn't include a new vac_init.php -
surely that needs changes to fix this bug, since it calls
squirrelmail_vacation_proxy in the 'unsafe' manner, when one has
passwords with space? Otherwise, squirrelmail_vacation_proxy is called
with parameters that are mis-parsed, i.e.
./squirrelmail_vacation_proxy localhost bob mypassword action src dest
will be OK, but if the password has a space:
./squirrelmail_vacation_proxy localhost bob my password action src dest
then 'my' will be parsed as the password and 'password' parsed as the
action etc., thus presumably failing at the password check stage.
Apologies if I've misunderstood what you've sent me, Paul. I don't want
to deploy the new code just at the moment until this is clarified,
because it's on a production server ...
Thanks for your help, Paul,
Computing Manager, Cancer Epidemiology Unit
Cancer Research UK / Oxford University
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.ceu.ox.ac.uk/~davee/davee-ceu-ox-ac-uk.asc
N 51.7518, W 1.2016
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
-----END PGP SIGNATURE-----