http://kenai.com/bugzilla/show_bug.cgi?id=5285
Bug #: 5285
Summary: SMTPSaslAuthenticator mishandles empty responses from
SaslClient
Classification: Unclassified
Product: javamail
Version: 1.4.5
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P5
Component: smtp
AssignedTo: shannon_at_kenai.com
ReportedBy: nicolson_at_kenai.com
CC: issues_at_javamail.kenai.com
The SaslClient.evaluateChallenge documentation
(
http://docs.oracle.com/javase/1.5.0/docs/api/javax/security/sasl/SaslClient.html#evaluateChallenge(byte[]))
describes the case of a client returning null to signify that no response needs
to be sent to the server. This could be useful, for example, if the server
wanted to update the client with some information at the end of the SASL
negotiation.
However, in SMTPSaslAuthenticator.authenticate, at line 185, if the server has
sent a 334 response to the client, there is no way to avoid sending something
back to the server. If the client returns null, this code will convert that to
a "*", which aborts the authentication. If the client returns non-null, the
return value will be sent to the server.
If the SaslClient returns null, SMTPSaslAuthenticator should not send anything
to the server, but should instead try to read the next line from the server.
--
Configure bugmail: http://kenai.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.