On Wed, Jul 29, 2009 at 6:29 AM, Jean-Paul Calderone <[email protected]>wrote:
> On Wed, 29 Jul 2009 00:54:20 -0500, Kevin Horn <[email protected]> > wrote: > >I was digging through the Twisted IMAP code tonight and I noticed > something > >puzzling... > > > >PLAINAuthenticator.challengeResponse() uses the following statement to > send > >auth credentials to the server > > > > return '%s\0%s\0' % (self.user, secret) > > > >which would give auth credentials of the form: > > > > authid<NUL>password<NUL> > > > > (where <NUL> is the NUL character) > > > >However, both RFC2595 and RFC4616 (both define the PLAIN SASL mechanism), > >say that credentials should be passed this way: > > > > [authzid]<NUL>authnid<NUL>password > > > > (where <NUL> is the NUL character and [authzid] is optional) > > > >Now even if one was to leave the authzid out of the equation, you would > end > >up with something like this: > > > > <NUL>authnid<NUL>password > > > >and the version Twisted's IMAP code uses appears to be invalid. > > > >Am I crazy? > >Am I missing something? > >Is it just way too late and I should put the RFCs down and back away > slowly? > > My early morning reading of the RFC agrees with yours. Someone else > brought > this up a long time ago, I think, but never pointed out the RFC. > > Can you file a ticket? > > Jean-Paul > > At least I'm not crazy... :) Ticket #3939 filed: http://twistedmatrix.com/trac/ticket/3939 also added a note in the ticket that PLAINCredentials may need to be modified to match Kevin Horn
_______________________________________________ Twisted-Python mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
