View Issue Details

IDProjectCategoryView StatusLast Update
0000433SOGoWeb Mailpublic2010-04-12 17:25
Reporterluca Assigned Towsourdeau 
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Versionnightly v2 
Target Version1.2.2Fixed in Version1.2.2 
Summary0000433: Obtain imap password from authorization header in proxy auth mode
Description

I casually discovered that if you are using basic authentication with SOGoTrustProxyAuthentication=YES and don't set x-webobject-remote-user, SOGo will derive the username from the Authorization header.
The attached patch recovers the password so that SOGo can login to the imap server.

TagsNo tags attached.

Activities

2010-02-16 10:19

 

sogo-proxyauth-password.patch (1,749 bytes)   
diff --unified --recursive SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.h SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.h
--- SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.h	2010-02-08 21:39:16.000000000 +0100
+++ SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.h	2010-02-09 09:23:26.000000000 +0100
@@ -40,8 +40,8 @@
 
 @class SOGoUser;
 
-// @interface SOGoProxyAuthenticator : SoHTTPAuthenticator <SOGoAuthenticator>
-@interface SOGoProxyAuthenticator : NSObject <SOGoAuthenticator>
+@interface SOGoProxyAuthenticator : SoHTTPAuthenticator <SOGoAuthenticator>
+// @interface SOGoProxyAuthenticator : NSObject <SOGoAuthenticator>
 
 + (id) sharedSOGoProxyAuthenticator;
 
diff --unified --recursive SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.m SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.m
--- SOGo.orig/SoObjects/SOGo/SOGoProxyAuthenticator.m	2010-02-08 21:39:16.000000000 +0100
+++ SOGo/SoObjects/SOGo/SOGoProxyAuthenticator.m	2010-02-09 09:25:21.000000000 +0100
@@ -100,14 +100,26 @@
 
 - (NSString *) passwordInContext: (WOContext *) context
 {
-  return @"";
+  NSString  *auth, *password;
+  NSArray   *creds;
+
+  password = nil;
+  auth = [[context request] headerForKey: @"authorization"];
+  if (auth)
+    {
+      creds = [self parseCredentials: auth];
+      if ([creds count] > 1)
+	password = [creds objectAtIndex: 1];
+    }
+
+  return password;
 }
 
 - (NSString *) imapPasswordInContext: (WOContext *) context
                            forServer: (NSString *) imapServer
                           forceRenew: (BOOL) renew
 {
-  return (renew ? nil : @"");
+  return [self passwordInContext: context];
 }
 
 - (WOResponse *) preprocessCredentialsInContext: (WOContext *) context
sogo-proxyauth-password.patch (1,749 bytes)   
wsourdeau

wsourdeau

2010-04-07 13:56

viewer   ~0000883

Why are you using the proxy authenticator rather than the regular one? What is the use case here?

luca

luca

2010-04-08 02:54

reporter   ~0000896

Because it works?
Access to our intranet from the outside is protected by basic auth, all other services that need authorization (i.e., squirrelmail) get the credentials from the basic auth headers, and sogo apparently works with it too (please don't remove the feature).
Basic auth contains the username and the password, so it's possible to extract the password to login to the imap server.

wsourdeau

wsourdeau

2010-04-12 17:25

viewer   ~0000930

Fixed in 2480fdc1f3b38f823b4837afc37bd69832ad93be.

I have used a slightly different method: the subclassing from SoHTTPAuthenticator is avoided. I don't remember if there was a reason for that but I preferred to be conservative. Also, it's important that the imapPasswordInContext:forServer:forceRenew: returns nil when renew is YES.

Issue History

Date Modified Username Field Change
2010-02-16 10:19 luca New Issue
2010-02-16 10:19 luca File Added: sogo-proxyauth-password.patch
2010-02-23 09:18 ludovic Target Version => 1.2.2
2010-04-07 13:56 wsourdeau Note Added: 0000883
2010-04-08 02:54 luca Note Added: 0000896
2010-04-12 17:25 wsourdeau Note Added: 0000930
2010-04-12 17:25 wsourdeau Status new => resolved
2010-04-12 17:25 wsourdeau Fixed in Version => 1.2.2
2010-04-12 17:25 wsourdeau Resolution open => fixed
2010-04-12 17:25 wsourdeau Assigned To => wsourdeau