Manage passwords with special characters

[pgaufillet]

Hi!

I have encountered issues with fetchmail_rc when pop/imap passwords include special characters. The analysis has revealed 2 causes:

• The shell command is not correctly protected by quotes. The single quotes are eatten by the shell and the strings are not protected anymore when parsed by fetchmail. Adding surrounding double quotes ('"' . escapeshellarg($this->get_mail_password()) . '"') solves it. Maybe it should be applied to all string parameters of fetchmail (and probably at least _mail_user_name).
• By default, get_input_value filters the input string and removes HTML tags. Unfortunately, it may remove parts of the password, for example when you have <? characters. A solution is to disable the HTML filter by adding true as third parameter: get_input_value('_mail_password', RCUBE_INPUT_POST, true). I don't think it raises any security issue as the password is never displayed or interpreted.

This pull request also replaces $rcmail_config by $config but I am not sure it is required or not, depending on the version of roundcube and the deployment platform. This commit is not linked to the password issue.

Comments and questions welcome.

Pierre

[gilles-hemmerle]

Hi,
Thank you for your comments.
I will have a look at this by today when I got some time and merge / change the parameters in order to improve security of shell arguments.

Gilles.

Le 19 nov. 2015 à 11:11, pgaufillet notifications@github.com a écrit :

Hi!

I have encountered issues with fetchmail_rc when pop/imap passwords include special characters. The analysis has revealed 2 causes:

The shell command is not correctly protected by quotes. The single quotes are eatten by the shell and the strings are not protected anymore when parsed by fetchmail. Adding surrounding double quotes ('"' . escapeshellarg($this->get_mail_password()) . '"') solves it. Maybe it should be applied to all string parameters of fetchmail (and probably at least _mail_user_name).
By default, get_input_value filters the input string and removes HTML tags. Unfortunately, it may remove parts of the password, for example when you have <? characters. A solution is to disable the HTML filter by adding true as third parameter: get_input_value('_mail_password', RCUBE_INPUT_POST, true). I don't think it raises any security issue as the password is never displayed or interpreted.
This pull request also replaces $rcmail_config by $config but I am not sure it is required or not, depending on the version of roundcube and the deployment platform. This commit is not linked to the password issue.

Comments and questions welcome.

Pierre

You can view, comment on, or merge this pull request online at:

#7 #7
Commit Summary

Change $rcmail_config into $config.
Correctly escape passwords taking into account shell interpretation.
Password shall not be filtered of potential HTML tags.
File Changes

M bash_cron.php https://github.com/iabsis/roundcube-fetchmail-rc/pull/7/files#diff-0 (2)
M config.inc.php https://github.com/iabsis/roundcube-fetchmail-rc/pull/7/files#diff-1 (4)
M fetchmail_rc.php https://github.com/iabsis/roundcube-fetchmail-rc/pull/7/files#diff-2 (6)
M includes/fetchMailRc.php https://github.com/iabsis/roundcube-fetchmail-rc/pull/7/files#diff-3 (2)
Patch Links:

https://github.com/iabsis/roundcube-fetchmail-rc/pull/7.patch https://github.com/iabsis/roundcube-fetchmail-rc/pull/7.patch
https://github.com/iabsis/roundcube-fetchmail-rc/pull/7.diff https://github.com/iabsis/roundcube-fetchmail-rc/pull/7.diff
—
Reply to this email directly or view it on GitHub #7.