/* Map of which characters are allowed by auth_canonifyid.
* Key: 0 -> not allowed (special, ctrl, or would confuse Unix or imapd)
* 1 -> allowed, but requires an alpha somewhere else in the string
* 2 -> allowed, and is an alpha
*
* At least one character must be an alpha.
*
* This may not be restrictive enough.
* Here are the reasons for the restrictions:
*
* & forbidden because of MUTF-7. (This could be fixed.)
* : forbidden because it's special in /etc/passwd
* / forbidden because it can't be used in a mailbox name
* * % forbidden because they're IMAP magic in the LIST/LSUB commands
* ? it just scares me
* ctrl chars, DEL
* can't send them as IMAP characters in plain folder names, I think
* 80-FF forbidden because you can't send them in IMAP anyway
* (and they're forbidden as folder names). (This could be fixed.)
*
* + and - are *allowed* although '+' is probably used for userid+detail
* subaddressing and qmail users use '-' for subaddressing.
*
* Identifiers don't require a digit, really, so that should probably be
* relaxed, too.
*/
static char allowedchars[256] = {
/* 0 1 2 3 4 5 6 7 8 9 A B C D E F */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 00-0F */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 10-1F */
#ifdef ENABLE_EDUNET
0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 20-2F */
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 30-3F */
1, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 40-4F */
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 1, 1, 1, 1, /* 50-5F */
#else
1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 20-2F */
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 30-3F */
1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 40-4F */
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, /* 50-5F */
#endif
1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 60-6F */
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 0, /* 70-7F */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
/*
* Convert 'identifier' into canonical form.
* Returns a pointer to a static buffer containing the canonical form
* or NULL if 'identifier' is invalid.
*
* XXX If any of the characters marked with 0 are valid and are cropping up,
* the right thing to do is probably to canonicalize the identifier to two
* representations: one for getpwent calls and one for folder names. The
* latter canonicalizes to a MUTF7 representation.
*/
char *auth_canonifyid(identifier, len)
const char *identifier;
size_t len;
{
static char retbuf[81];
#ifndef ENABLE_EDUNET
struct group *grp;
#endif
char sawalpha;
char *p;
if(!len) len = strlen(identifier);
if(len >= sizeof(retbuf)) return NULL;
if (strcasecmp(identifier, "anonymous") == 0) {
return "anonymous";
}
if (strcasecmp(identifier, "anybody") == 0 ||
strcasecmp(identifier, "anyone") == 0) {
return "anyone";
}
memcpy(retbuf, identifier, len);
retbuf[len] = '\0';
/* This used to be far more restrictive, but many sites seem to ignore the
* ye olde Unix conventions of username. Specifically, we used to
* - drop case on the buffer
* - disallow lots of non-alpha characters ('-', '_', others)
* Now we do neither of these, but impose a very different policy based on
* the character map above.
*/
if (!strncmp(retbuf, "group:", 6)) {
#ifndef ENABLE_EDUNET
grp = getgrnam(retbuf+6);
if (!grp) return 0;
strcpy(retbuf+6, grp->gr_name);
#endif
return retbuf;
}
/* Copy the string and look up values in the allowedchars array above.
* If we see any we don't like, reject the string.
*/
sawalpha = 0;
for(p = retbuf; *p; p++) {
switch (allowedchars[*(unsigned char*) p]) {
case 0:
return NULL;
case 2:
sawalpha = 1;
/* FALL THROUGH */
#ifdef ENABLE_EDUNET
case 3:
sawalpha = 1;
*p = tolower((unsigned char) *p);
#endif
default:
;
}
}
if (!sawalpha) return NULL; /* has to be one alpha char */
return retbuf;
}
Gardiner Leverett wrote:
Gardiner Leverett wrote:The problem is this: On the new machine, a user mailbox is "foobar" for example. The user connects (through the client) as "FOOBAR". SASL authenticates the user fine, but the user can't see the INBOX or any other folders. If the user connects as "foobar", SASL authenticates correctly, and the user can see their mailbox.One other note: if the user is using Outlook and they connect as uppercase, Cyrus will CREATE a new mailbox for the uppercase user. When I tried using Netscape, this did not happen. I don't know if it's a config issue with Outlook, but either way, the mailbox is created, and the user FOOBAR has access to the new mailbox "FOOBAR" and not "foobar".
