From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: security/ejabberd-dovecot-auth: new port
To: ports@openbsd.org, kn@openbsd.org
Date: Wed, 18 Dec 2024 00:48:31 +0100

On Mon, 25 Nov 2024 16:21:57 +0100,
Kirill A. Korinsky <kirill@korins.ky> wrote:
> 
> On Mon, 25 Nov 2024 12:40:13 +0100,
> Stuart Henderson <stu@spacehopper.org> wrote:
> > 
> > p5-Authen-SASL-Authd:
> > 
> > s/Commulitive/Cumulative/ in patch comment, then it's ok
> > 
> > 
> > ejabberd-dovecot-auth:
> > 
> > pkg-readme fixes;
> > 
> > -ejabeerd. Following code migth be added globally to switch all vhost to
> > +ejabberd. Following code might be added globally to switch all vhosts to
> > -	extauth_program: ${PREFIX}/share/ejabberd-dovecot-auth/check-dovecot
> > +	extauth_program: ${TRUEPREFIX}/share/ejabberd-dovecot-auth/check-dovecot
> > 
> > this does nothing useful; ${WRKINST}/${SYSCONFDIR} doesn't make it into
> > the package
> > 
> > 	${INSTALL_DATA_DIR} ${WRKINST}/${SYSCONFDIR}/dovecot/conf.d
> >
> 
> fixed
> 
> > "Restrictions: Username or passwords may not contain some special
> > characters: $'"` nor line breaks"
> > 
> > uh oh, that sounds very bad
> > 
> 
> After careful reading of dovecot prototocl and the code of both new ports...
> The new restrictions are:
>  - Username should not contain :$'"`\00\01\t\r\n
>  - Password should not contain \00\01\t\r\n
> 
> it was tested with passwords like: asd$'":`!!xyz
> 

Anyone?

-- 
wbr, Kirill