On Fri, 27 Dec 2024 22:52:04 +0100,
Stuart Henderson <stu@spacehopper.org> wrote:
> 
> regarding the filtering -
> 
> I see the problem for user_dovecot (and sort-of for logs, though
> if anything parsing logs is susceptible to shell chars you have bigger
> problems ;)
> 
> for auth_dovecot, the password and username are b64-encoded. for
> simplicity/sanity I think you want the same filtering on username as
> for user_dovecot. but for the password, I think you only have \0 to
> worry about?
> 

Probably, but I can't proove that it works on my tests, and to make things
cleaner and simpler had decided to use similar filter.

Thus, this restriction can be reviews when and if someone really decided to
use \r or \n or \t in password in jabber. Which I doubt.

-- 
wbr, Kirill