From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: security/ejabberd-dovecot-auth: new port
To: ports@openbsd.org, kn@openbsd.org
Date: Mon, 25 Nov 2024 16:21:57 +0100

On Mon, 25 Nov 2024 12:40:13 +0100,
Stuart Henderson <stu@spacehopper.org> wrote:
> 
> p5-Authen-SASL-Authd:
> 
> s/Commulitive/Cumulative/ in patch comment, then it's ok
> 
> 
> ejabberd-dovecot-auth:
> 
> pkg-readme fixes;
> 
> -ejabeerd. Following code migth be added globally to switch all vhost to
> +ejabberd. Following code might be added globally to switch all vhosts to
> -	extauth_program: ${PREFIX}/share/ejabberd-dovecot-auth/check-dovecot
> +	extauth_program: ${TRUEPREFIX}/share/ejabberd-dovecot-auth/check-dovecot
> 
> this does nothing useful; ${WRKINST}/${SYSCONFDIR} doesn't make it into
> the package
> 
> 	${INSTALL_DATA_DIR} ${WRKINST}/${SYSCONFDIR}/dovecot/conf.d
>

fixed

> "Restrictions: Username or passwords may not contain some special
> characters: $'"` nor line breaks"
> 
> uh oh, that sounds very bad
> 

After careful reading of dovecot prototocl and the code of both new ports...
The new restrictions are:
 - Username should not contain :$'"`\00\01\t\r\n
 - Password should not contain \00\01\t\r\n

it was tested with passwords like: asd$'":`!!xyz

Ok?

-- 
wbr, Kirill