split() matching regular expression question - openwebmail bug...

[Ken A]

Openwebmail seems to have a bug in the way it stores and retrieves data,
especially passwords from a file called .pop3book.

In .pop3book there are stored entries for host,port,user,pass,etc.. They
are delimited by @@@.

Here's the line with the problem in openwebmail-main.pl:

my ($pop3host,$pop3port, $pop3user,$pop3passwd, $pop3del,
$enable)=split(/\@\@\@/,$_);

If the user's password ends in a '@' character, the split() causes the @
to be cut off the $pop3passwd and added to the $pop3del variable.

Any way to fix this with a better matching regular expression in the
call to split ?

Otherwise, it seems I have to rewrite every part of openwebmail that
uses the @@@ delimiter and change it to some more sensible (less likely
to conflict with passwords) delimiter. That also would mean changing all
..pop3book files on the server, which isn't a good thing either..

Thanks for any ideas,
Ken A.

[Matija Papec]

X-Ftn-To: Ken A

Ken A <ken@pacific.net> wrote:

>my ($pop3host,$pop3port, $pop3user,$pop3passwd, $pop3del,
>$enable)=split(/\@\@\@/,$_);
>
>If the user's password ends in a '@' character, the split() causes the @
>to be cut off the $pop3passwd and added to the $pop3del variable.
>
>Any way to fix this with a better matching regular expression in the
>call to split ?
>
>Otherwise, it seems I have to rewrite every part of openwebmail that
>uses the @@@ delimiter and change it to some more sensible (less likely
>to conflict with passwords) delimiter. That also would mean changing all
>.pop3book files on the server, which isn't a good thing either..
>
>Thanks for any ideas,

You could reverse $_ but then you're vulnerable if some field begins with
'@' :)


--
Matija

[Glenn Jackman]

Ken A <ken@pacific.net> wrote:
[...]

> Here's the line with the problem in openwebmail-main.pl:
>
> my ($pop3host,$pop3port, $pop3user,$pop3passwd, $pop3del,
> $enable)=split(/\@\@\@/,$_);
>
> If the user's password ends in a '@' character, the split() causes the @
> to be cut off the $pop3passwd and added to the $pop3del variable.

Change the RE to check that the character after the third @ is not an @:
$str = 'f1@@@f2@@@pass@@@@f4';
@fields = split/\@{3}(?=[^@]|$)/, $str;


--
Glenn Jackman
NCF Sysadmin
[email]glennj@ncf.ca[/email]

[Glenn Jackman]

Ken A <ken@pacific.net> wrote:
[...]

> Here's the line with the problem in openwebmail-main.pl:
>
> my ($pop3host,$pop3port, $pop3user,$pop3passwd, $pop3del,
> $enable)=split(/\@\@\@/,$_);
>
> If the user's password ends in a '@' character, the split() causes the @
> to be cut off the $pop3passwd and added to the $pop3del variable.

Change the RE to check that the character after the third @ is not an @:
$str = 'f1@@@f2@@@pass@@@@f4';
@fields = split /\@{3}(?!@)/, $str;


--
Glenn Jackman
NCF Sysadmin
[email]glennj@ncf.ca[/email]

[Andreas Kahari]

In article <vm1iqi4pcfed5a@corp.supernews.com>, Ken A wrote:

> Openwebmail seems to have a bug in the way it stores and retrieves data,
> especially passwords from a file called .pop3book.
>
> In .pop3book there are stored entries for host,port,user,pass,etc.. They
> are delimited by @@@.
>
> Here's the line with the problem in openwebmail-main.pl:
>
> my ($pop3host,$pop3port, $pop3user,$pop3passwd, $pop3del,
> $enable)=split(/\@\@\@/,$_);
>
> If the user's password ends in a '@' character, the split() causes the @
> to be cut off the $pop3passwd and added to the $pop3del variable.

[cut]

IMHO, the best way to fix this is to store the passwords
encrypted, just like the passwords in /etc/passwd on a Unix
system. Use a cipher that does not generate '@' characters.

If that's too involved, store them as strings consisting of the
3-digit ASCII codes, or something.

If that's too involved, change the regex to /@@@(?=[^@])/, but
this assumes that $pop3del won't ever start with '@'. Look for
"zero-width positive look-ahead assertion" in the perlre manual.


Cheers,
Andreas


--
Andreas Kähäri

[Bart van den Burg]

"Ken A" <ken@pacific.net> wrote in message
news:vm1iqi4pcfed5a@corp.supernews.com...

> Openwebmail seems to have a bug in the way it stores and retrieves data,
> especially passwords from a file called .pop3book.
>
> In .pop3book there are stored entries for host,port,user,pass,etc.. They
> are delimited by @@@.
>
> Here's the line with the problem in openwebmail-main.pl:
>
> my ($pop3host,$pop3port, $pop3user,$pop3passwd, $pop3del,
> $enable)=split(/\@\@\@/,$_);
>
> If the user's password ends in a '@' character, the split() causes the @
> to be cut off the $pop3passwd and added to the $pop3del variable.
>
> Any way to fix this with a better matching regular expression in the
> call to split ?
>
> Otherwise, it seems I have to rewrite every part of openwebmail that
> uses the @@@ delimiter and change it to some more sensible (less likely
> to conflict with passwords) delimiter. That also would mean changing all
> .pop3book files on the server, which isn't a good thing either..
>
> Thanks for any ideas,
> Ken A.
>
>
>

You could also use \t (tab) as a delimiter. I use it myself often, without
any problems.

Bart

[Andreas Kahari]

In article <bjqm07$5ic$1@reader11.wxs.nl>, Bart van den Burg wrote:

>
> "Ken A" <ken@pacific.net> wrote in message
> news:vm1iqi4pcfed5a@corp.supernews.com...

[cut]

>> If the user's password ends in a '@' character, the split() causes the @
>> to be cut off the $pop3passwd and added to the $pop3del variable.
>>
>> Any way to fix this with a better matching regular expression in the
>> call to split ?

[cut]

>
> You could also use \t (tab) as a delimiter. I use it myself often, without
> any problems.

What if I decide to use a tab at the end of my password?
(assuming it still makes a valid password) You've just replaced
the trouble character with another trouble character.


--
Andreas Kähäri

[Bart van den Burg]

"Andreas Kahari" <ak+usenet@freeshell.org> wrote in message
news:slrnbm1n7j.ncd.ak+usenet@vinland.freeshell.or g...

> In article <bjqm07$5ic$1@reader11.wxs.nl>, Bart van den Burg wrote:

> >
> > "Ken A" <ken@pacific.net> wrote in message
> > news:vm1iqi4pcfed5a@corp.supernews.com...

> [cut]

> >> If the user's password ends in a '@' character, the split() causes the

@

> >> to be cut off the $pop3passwd and added to the $pop3del variable.
> >>
> >> Any way to fix this with a better matching regular expression in the
> >> call to split ?

> [cut]

> >
> > You could also use \t (tab) as a delimiter. I use it myself often,

without

> > any problems.

>
> What if I decide to use a tab at the end of my password?
> (assuming it still makes a valid password) You've just replaced
> the trouble character with another trouble character.

Because that's hard to do if it's in a web environment, cause if you press
[tab], you'll go to the next input box. Ok, you could go and copy/paste one,
but would you really wanna do that everytime you wanna login there?

Bart

[Andreas Kahari]

In article <bjqmsu$6nd$1@reader11.wxs.nl>, Bart van den Burg wrote:

>
> "Andreas Kahari" <ak+usenet@freeshell.org> wrote in message
> news:slrnbm1n7j.ncd.ak+usenet@vinland.freeshell.or g...

>> In article <bjqm07$5ic$1@reader11.wxs.nl>, Bart van den Burg wrote:

>> >
>> > "Ken A" <ken@pacific.net> wrote in message
>> > news:vm1iqi4pcfed5a@corp.supernews.com...

>> [cut]

>> >> If the user's password ends in a '@' character, the split() causes the

[cut]

>> >> Any way to fix this with a better matching regular expression in the
>> >> call to split ?

[cut]

>> > You could also use \t (tab) as a delimiter. I use it myself often,

> without

>> > any problems.

>>
>> What if I decide to use a tab at the end of my password?
>> (assuming it still makes a valid password) You've just replaced
>> the trouble character with another trouble character.

>
> Because that's hard to do if it's in a web environment, cause if you press
> [tab], you'll go to the next input box. Ok, you could go and copy/paste one,
> but would you really wanna do that everytime you wanna login there?

Point taken, kinda'. Are you sure it's not as simple as typing
<shift><tab> or something similar in one browser or another?

My point is that you should try to come up with a solid solution
to the problem, not a quick workaround that might prove to be
just as faulty as the original solution. Especially since this
involves passwords giving access to personal information.

In this particular case, I would opt for an encoding of the
passwords that ensures that no character or substring in the
encoded password collides with a record separator. Encryption
would be even better.


--
Andreas Kähäri

[Abigail]

Bart van den Burg (bart-news@NOSPAMtvreclames.nl) wrote on MMMDCLXIII
September MCMXCIII in <URL:news:bjqmsu$6nd$1@reader11.wxs.nl>:
&&
&& Because that's hard to do if it's in a web environment, cause if you press
&& [tab], you'll go to the next input box. Ok, you could go and copy/paste one,
&& but would you really wanna do that everytime you wanna login there?


Don't make the newbie mistake of "if it works on my browser, it will
work anywhere". While tabs might go to the next field in some browsers,
it won't in others. And yet another set of browsers allow tabs to be
escaped.

Not that this has anything to do at all with Perl.


Abigail
--
package Just_another_Perl_Hacker; sub print {($_=$_[0])=~ s/_/ /g;
print } sub __PACKAGE__ { &
print ( __PACKAGE__)} &
__PACKAGE__
( )