From 666f84edead68ed68483d0eb3803954d98b93d5c Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Thu, 11 Apr 2024 23:11:31 +0200 Subject: [PATCH] fix login for account names with non-ascii chars we include the username in session cookie values. but cookie values must be ascii-only, go's net/http's drops bad values. the typical solution is to querystring-encode/decode the cookie values, which we'll now do. problem found by arnt, thanks for reporting! --- testdata/httpaccount/domains.conf | 4 ++-- testdata/httpaccount/mox.conf | 2 +- webaccount/account_test.go | 12 ++++++------ webauth/webauth.go | 12 ++++++++++-- 4 files changed, 19 insertions(+), 11 deletions(-) diff --git a/testdata/httpaccount/domains.conf b/testdata/httpaccount/domains.conf index 515602f..8931695 100644 --- a/testdata/httpaccount/domains.conf +++ b/testdata/httpaccount/domains.conf @@ -1,11 +1,11 @@ Domains: mox.example: nil Accounts: - mjl: + mjl☺: Domain: mox.example FullName: mjl Destinations: - mjl@mox.example: + mjl☺@mox.example: Mailbox: Inbox Rulesets: - diff --git a/testdata/httpaccount/mox.conf b/testdata/httpaccount/mox.conf index e1286db..f92097f 100644 --- a/testdata/httpaccount/mox.conf +++ b/testdata/httpaccount/mox.conf @@ -3,7 +3,7 @@ User: 1000 LogLevel: trace Hostname: mox.example Postmaster: - Account: mjl + Account: mjl☺ Mailbox: postmaster Listeners: local: nil diff --git a/webaccount/account_test.go b/webaccount/account_test.go index e5a2d67..3df521a 100644 --- a/webaccount/account_test.go +++ b/webaccount/account_test.go @@ -79,7 +79,7 @@ func TestAccount(t *testing.T) { mox.ConfigDynamicPath = filepath.Join(filepath.Dir(mox.ConfigStaticPath), "domains.conf") mox.MustLoadConfig(true, false) log := mlog.New("webaccount", nil) - acc, err := store.OpenAccount(log, "mjl") + acc, err := store.OpenAccount(log, "mjl☺") tcheck(t, err, "open account") err = acc.SetPassword(log, "test1234") tcheck(t, err, "set password") @@ -99,14 +99,14 @@ func TestAccount(t *testing.T) { ctx := context.WithValue(ctxbg, requestInfoCtxKey, reqInfo) // Missing login token. - tneedErrorCode(t, "user:error", func() { api.Login(ctx, "", "mjl@mox.example", "test1234") }) + tneedErrorCode(t, "user:error", func() { api.Login(ctx, "", "mjl☺@mox.example", "test1234") }) // Login with loginToken. loginCookie := &http.Cookie{Name: "webaccountlogin"} loginCookie.Value = api.LoginPrep(ctx) reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}} - csrfToken := api.Login(ctx, loginCookie.Value, "mjl@mox.example", "test1234") + csrfToken := api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "test1234") var sessionCookie *http.Cookie for _, c := range respRec.Result().Cookies() { if c.Name == "webaccountsession" { @@ -121,7 +121,7 @@ func TestAccount(t *testing.T) { // Valid loginToken, but bad credentials. loginCookie.Value = api.LoginPrep(ctx) reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}} - tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "mjl@mox.example", "badauth") }) + tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "badauth") }) tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@mox.example", "badauth") }) tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@baddomain.example", "badauth") }) @@ -211,13 +211,13 @@ func TestAccount(t *testing.T) { // SetPassword needs the token. sessionToken := store.SessionToken(strings.SplitN(sessionCookie.Value, " ", 2)[0]) - reqInfo = requestInfo{"mjl@mox.example", "mjl", sessionToken, respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}} + reqInfo = requestInfo{"mjl☺@mox.example", "mjl☺", sessionToken, respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}} ctx = context.WithValue(ctxbg, requestInfoCtxKey, reqInfo) api.SetPassword(ctx, "test1234") fullName, _, dests, _, _ := api.Account(ctx) - api.DestinationSave(ctx, "mjl@mox.example", dests["mjl@mox.example"], dests["mjl@mox.example"]) // todo: save modified value and compare it afterwards + api.DestinationSave(ctx, "mjl☺@mox.example", dests["mjl☺@mox.example"], dests["mjl☺@mox.example"]) // todo: save modified value and compare it afterwards api.AccountSaveFullName(ctx, fullName+" changed") // todo: check if value was changed api.AccountSaveFullName(ctx, fullName) diff --git a/webauth/webauth.go b/webauth/webauth.go index 21bf43b..6af82ee 100644 --- a/webauth/webauth.go +++ b/webauth/webauth.go @@ -41,6 +41,7 @@ import ( "log/slog" "net" "net/http" + "net/url" "strings" "time" @@ -154,9 +155,15 @@ func Check(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind stri return "", "", "", false } sessionToken = store.SessionToken(t[0]) - accountName = t[1] var err error + accountName, err = url.QueryUnescape(t[1]) + if err != nil { + time.Sleep(BadAuthDelay) + respondAuthError("user:badAuth", "malformed session account name") + return "", "", "", false + } + loginAddress, err = sessionAuth.use(ctx, log, accountName, sessionToken, csrfToken) if err != nil { time.Sleep(BadAuthDelay) @@ -258,7 +265,8 @@ func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, coo // Add session cookie. http.SetCookie(w, &http.Cookie{ Name: kind + "session", - Value: string(sessionToken) + " " + accountName, + // Cookies values are ascii only, so we keep the account name query escaped. + Value: string(sessionToken) + " " + url.QueryEscape(accountName), Path: cookiePath, Secure: isHTTPS(isForwarded, r), HttpOnly: true,