bug-mailutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

I want to add non-RFC passwd to pop and imap


From: Sam Roberts
Subject: I want to add non-RFC passwd to pop and imap
Date: Thu, 12 Jul 2001 22:56:03 -0400
User-agent: Mutt/1.3.16i

Reading the RFCs, they are riddled with references to browsers and
users, seemingly without awareness that URLs are generally useable
for descriptions of how to access resources. Passwords were
disallowed for security reasons that do not exist in many applications.

Example, mutt's configuration file:

set spoolfile=imap://address@hidden
set imap_pass=XXX

The security advantage is....?

It *should* allow the password as in the other URLs, ftp, http,
etc., now you have to invent another syntax for fully specifying
the resource, and note that Mutt's mechanism is not general
enough, you have no way to specify which imap url the password
is associated with.

With sieve, I can't prompt the user for a password, it's for
unattended operation. I could invent a configuration file
that mapped passwords to URLs, for a hefty complexity and
flexibility cost, and NO security gain. I don't see why.

Also, I looked into the docs, cut the URL example out, and
compiled it. It doesn't do anything, sometime along the way
the URL parsing code got pulled out of url.c, and copied into
url_imap.c and url_pop.c. So, I pulled it back in, generalized
it, added this API:

extern int  url_parse     __P ((url_t));

which is a little odd, but allows url_create() to do nothing (as
it used to).

Now the imap and pop auth code, when looking for a password, looks
to see if one was parsed from the url before prompting the user.
I.e, backwards compatible.

I'm cleaning up the docs to match the new API before committing. But
is anybody going to be horrified? I REALLY think this is better than
the alternatives, all involving an out-of-band configuration
mechanism, mapping URLs to passwords.

Sam

p.s. In the process, I added decoding of %xx sequences in urls.

p.p.s. Attached is the url.c and imap_url.c for a more concrete
example, url syntax is:

-

Syntax, condensed from RFC 1738, and extended with the ;auth=
of RFC 2384 (for POP) and RFC 2192 (for IMAP):

url =
    scheme ":" = "//"

    [ user [ ( ":" password ) | ( ";auth=" auth ) ] "@" ]

    host [ ":" port ]

    [ "/" urlpath ]

-- 
Sam Roberts <address@hidden> (Vivez sans temps mort!)

Attachment: url.c
Description: Text document

Attachment: url_imap.c
Description: Text document


reply via email to

[Prev in Thread] Current Thread [Next in Thread]