[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
smtpmail.el security flaw in selecting authentication mechanism
|
From: |
Simon Josefsson |
|
Subject: |
smtpmail.el security flaw in selecting authentication mechanism |
|
Date: |
Tue, 03 Mar 2009 17:30:21 +0100 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.90 (gnu/linux) |
I just noticed that smtpmail.el chose to use the LOGIN mechanism against
gmail.com which was surprising because they support PLAIN, which should
be preferred. Debugging this I noticed this is the code that is
responsible for selecting the authentication mechanism to use:
(defun smtpmail-try-auth-methods (process supported-extensions host port)
(let* ((mechs (cdr-safe (assoc 'auth supported-extensions)))
(mech (car (smtpmail-intersection smtpmail-auth-supported mechs)))
Some experiments with this:
(smtpmail-intersection smtpmail-auth-supported '(login plain cram-md5))
(login plain cram-md5)
Thus the code choses the first supported mechanism in the _servers_
order. It should use the local list instead. Compare:
(smtpmail-intersection '(login plain cram-md5) smtpmail-auth-supported)
(cram-md5 plain login)
The patch below fixes this. I have committed it on the trunk. Maybe it
it should be backported in case you make releases from another branch?
This can be a security problem, since it allows the server to control
whether for example LOGIN or PLAIN (that sends the password in
plaintext) is used instead of CRAM-MD5 (which does not). Of course,
security aware people use STARTTLS anyway, which should mitigate this.
/Simon
Index: lisp/ChangeLog
===================================================================
RCS file: /sources/emacs/emacs/lisp/ChangeLog,v
retrieving revision 1.15426
diff -u -p -r1.15426 ChangeLog
--- lisp/ChangeLog 3 Mar 2009 16:12:02 -0000 1.15426
+++ lisp/ChangeLog 3 Mar 2009 16:22:18 -0000
@@ -1,3 +1,11 @@
+2009-03-03 Simon Josefsson <address@hidden>
+
+ * mail/smtpmail.el (smtpmail-auth-supported): Mention that list is
+ in preference order.
+ (smtpmail-try-auth-methods): Improve which authentication
+ mechanism to use, so that the locally most preferred and mutually
+ supported mechanism is used.
+
2009-03-03 Stefan Monnier <address@hidden>
* emacs-lisp/lisp.el (end-of-defun-function): Make it more clear that
Index: lisp/mail/smtpmail.el
===================================================================
RCS file: /sources/emacs/emacs/lisp/mail/smtpmail.el,v
retrieving revision 1.108
diff -u -p -r1.108 smtpmail.el
--- lisp/mail/smtpmail.el 5 Jan 2009 03:22:37 -0000 1.108
+++ lisp/mail/smtpmail.el 3 Mar 2009 16:22:18 -0000
@@ -218,7 +218,8 @@ This is relative to `smtpmail-queue-dir'
(defvar smtpmail-read-point)
(defconst smtpmail-auth-supported '(cram-md5 plain login)
- "List of supported SMTP AUTH mechanisms.")
+ "List of supported SMTP AUTH mechanisms.
+The list is in preference order.")
(defvar smtpmail-mail-address nil
"Value to use for envelope-from address for mail from ambient buffer.")
@@ -534,7 +535,7 @@ This is relative to `smtpmail-queue-dir'
(defun smtpmail-try-auth-methods (process supported-extensions host port)
(let* ((mechs (cdr-safe (assoc 'auth supported-extensions)))
- (mech (car (smtpmail-intersection smtpmail-auth-supported mechs)))
+ (mech (car (smtpmail-intersection mechs smtpmail-auth-supported)))
(auth-user (auth-source-user-or-password
"login" host (or port "smtp")))
(auth-pass (auth-source-user-or-password
- smtpmail.el security flaw in selecting authentication mechanism,
Simon Josefsson <=