Hi friends,
I'd like to talk about a way to fix a small security problem. This is
not important enough to justify privacy, so let discuss all together.
Fetchmail has a very interesting feature: scramble passwords in
verbose mode. This is done in the gen_send function and works
basically by replacing the first occurrence of the password in any sent
line. Here is Debian bug report #200470 [1] :
If the password is a substring of the username, fetchmail will
asterisk out part of the username rather than the password.
For example, username "test(_at_)example(_dot_)com", password "test"
fetchmail: IMAP> A0004 LOGIN "*(_at_)example(_dot_)com" "test"
or username "test(_at_)example(_dot_)com", password "te"
fetchmail: IMAP> A0004 LOGIN "*st(_at_)example(_dot_)com" "te"
It appears to me that the only way to fix this problem (replacing all
occurrences of the password would lead to some easy clues about the
password) is to rewrite the vsprintf call to a hand-made function in
the spirit of vsprintf that would strip passwords. This would require
tagging passwords in every call to gen_send but it is the only clean
way I see.
What do you think? May I send a patch using this solution or is there
a cleaner way to achieve that?
Cheers,
Benjamin
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200470
--
.''`.
; ;' ; Debian GNU/Linux | Benjamin Drieu
`. `' http://www.debian.org/ | <benj(_at_)debian(_dot_)org>
`-
pgpmAL8pIZ5cx.pgp
Description: PGP signature