[Tickets #1519] NEW: backslash must be doubled in password

bugs at bugs.horde.org bugs at bugs.horde.org
Wed Mar 9 10:27:52 PST 2005


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/?id=1519
-----------------------------------------------------------------------
 Ticket             | 1519
 Created By         | jmorzins at mit.edu
 Summary            | backslash must be doubled in password
 Queue              | IMP
 Version            | RELENG_3
 State              | Unconfirmed
 Priority           | 1. Low
 Type               | Bug
 Owners             | 
-----------------------------------------------------------------------


jmorzins at mit.edu (2005-03-09 10:27) wrote:

Hello,

I'm using IMP webmail 3.2 (<https://webmail.mit.edu/>).  I am not the site
administrator, and so do not know exactly which version of 3.2 is installed.
 I searched the bug database, and did not find any bug reports concerning
backslashes in passwords, so I believe this bug is still present in current
versions of IMP.


Description of problem:

If a person's password contains a backslash character, they need to type
each backslash twice in order to be able to log in.  If they only type the
backslash a single time, they get an error:

"Login failed for some reason. Most likely your username or password was
entered incorrectly. "

Doubling the backslashes does enable correct login.


How to reproduce:

+ Choose or create an IMAP account whose password contains a backslash.
+ Use Outlook or Mozilla or some other IMAP client to verify that the
password is correctly stored on the server, and that the IMAP client only
needs to type the backslash once for each time it appears in the password.
+ Use Horde IMP to access the accound, and observe that the backslash has to
be typed into IMP's login screen twice.


Comments and speculation:

My own speculation is that IMP is failing to encode password strings before
sending the passwords on to the server.  The IMAP specification, RFC 2060,
allows passwords to be either atoms or quoted strings, but specifies that
backslashes in quoted strings must be doubled.  If IMP is failing to double
backslashes before sending the password on to the IMAP server, this could be
causing the observed behavior.  When the user manually doubles each
backslash, they correct for IMP's omission.


Thank you,
 Jacob Morzinski





Related information:

RFC 2060 definitions that are relevant to passwords follow:


login           ::= "LOGIN" SPACE userid SPACE password

password        ::= astring
astring         ::= atom / string

atom            ::= 1*ATOM_CHAR
ATOM_CHAR       ::= <any CHAR except atom_specials>
atom_specials   ::= "(" / ")" / "{" / SPACE / CTL / list_wildcards /
                   quoted_specials
list_wildcards  ::= "%" / "*"
quoted_specials ::= <"> / "\"

string          ::= quoted / literal
quoted          ::= <"> *QUOTED_CHAR <">
QUOTED_CHAR     ::= <any TEXT_CHAR except quoted_specials> /
                   "\" quoted_specials
TEXT_CHAR       ::= <any CHAR except CR and LF>
quoted_specials ::= <"> / "\"

literal         ::= "{" number "}" CRLF *CHAR8
                   ;; Number represents the number of CHAR8 octets
number          ::= 1*digit
                   ;; Unsigned 32-bit integer
                   ;; (0 <= n < 4,294,967,296)
CHAR8           ::= <any 8-bit octet except NUL, 0x01 - 0xff>




More information about the bugs mailing list