[issue27820] Possible bug in smtplib when initial_response_ok=False

Sun, 13 Dec 2020 22:48:32 -0800 


Pandu E POLUAN <pepol...@gmail.com> added the comment:

Hi, I'm one of the maintainers of aio-libs/aiosmtpd.

This issue also bit me when trying to write unit tests for aio-libs/aiosmtpd 
AUTH implementation

But I partially disagree with Dario D'Amico's changes, specifically the 
suggested change in the auth_login() method.

According to draft-murchison-sasl-login-00.txt [1], the two challenges sent by 
the server SHOULD be ignored. The example in that document uses 
b"VXNlciBOYW1lAA==" and b"UGFzc3dvcmQA" (b64 of b"User Name\x00" and 
b"Password\x00", respectively), and this is what we have implemented in 
aio-libs/aiosmtpd.

Furthermore, the same document never indicated that username may be sent along 
with "AUTH LOGIN", so we haven't implemented that in aio-libs/aiosmtpd.

So rather than hardcoding the challenges to b"Username:" and b"Password:", a 
compliant SMTP client must instead _count_ the number of challenges it received.

I propose the following changes instead:

    def auth(self, mechanism, authobject, *, initial_response_ok=True):
        ... snip ...
        if initial_response is not None:
            response = encode_base64(initial_response.encode('ascii'), eol='')
            (code, resp) = self.docmd("AUTH", mechanism + " " + response)
            self._challenge_count = 1
        else:
            (code, resp) = self.docmd("AUTH", mechanism)
            self._challenge_count = 0
        # If server responds with a challenge, send the response.
        while code == 334:
            self._challenge_count += 1
            challenge = base64.decodebytes(resp)
        ... snip ...

    ... snip ...

    def auth_login(self, challenge=None):
        """ Authobject to use with LOGIN authentication. Requires self.user and
        self.password to be set."""
        if challenge is None or self._challenge_count < 2:
            return self.user
        else:
            return self.password


[1] https://www.ietf.org/archive/id/draft-murchison-sasl-login-00.txt

----------
nosy: +pepoluan

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue27820>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to