IMAP connections sends CAPABILITY then goes no further - empty password

UNCONFIRMED
Unassigned

Status

UNCONFIRMED
8 years ago
4 months ago

People

(Reporter: adb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Build Identifier: 3.2a1pre

It seems that Thunderbird will not accept using an empty login password against the server when using standard IMAP LOGIN command.

I would expect the empty password to be sent as, e.g.

2 LOGIN user ""

but TB does not disallow it, and TB does not work if one is used.



Reproducible: Always

Steps to Reproduce:
1. Start Thunderbird with IMAP logging env variables set
2. Thunderbird connects to the IMAP server
3. IMAP server sends greeting message
4. TB sends @1 capability@ command
5. Server responsds with "* CAPABILITY IMAP4 IMAP4REV1 IDLE"
6. TB asks for login password
7. Empty password given
8. TB goes no further, the green bars continue to march across status bar


Actual Results:  
No login is ever achieved

Expected Results:  
Should be able to login with empty passowrd

I have run wireshark at both ends of the comms and IMAP logging is enabled for Thunderbird with the following env vars:

set NSPR_LOG_MODULES=IMAP:4
set NSPR_LOG_FILE=c:\tmp\tbird.log

It seems like TB cannot handle a zero length string password.  In the TB IMAP log it shows...

4084[50afe80]: 58bf800:localhost:NA:CreateNewLineFromSocket: 1 OK CAPABILITY completed
4084[50afe80]: try to log in
4084[50afe80]: IMAP auth: server caps 0x80035, pref 0x1321006, failed 0x0, avail caps 0x4
4084[50afe80]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN =  0x200000, PLAIN = 0x1000, LOGIN = 0x2, old-style IMAP login = 0x4)
4084[50afe80]: trying auth method 0x4

and then stops.  The server will disconnect the connection after 3 minutes with no activity from the client.

In some cases, for example if I click on existinging messages in the mailbox, the "Login failed" box appears.  The following appears in the log

IMAP: ask user what to do (after login failed): new passwort, retry, cancel

RFC3501 does not prohibit empty passwords, so at least TB should not stop working
(Reporter)

Comment 1

8 years ago
Should this be in Mozilla Core somewhere.  Couldn't find an appropriate place for it.
Component: General → Networking: IMAP
Product: Thunderbird → MailNews Core
QA Contact: general → networking.imap
RFC 3501 defines;
> password        = astring
> astring         = 1*ASTRING-CHAR / string
> ASTRING-CHAR    = ATOM-CHAR / resp-specials
> ATOM-CHAR       = <any CHAR except atom-specials>
> resp-specials   = "]"
> string          = quoted / literal
> quoted          = DQUOTE *QUOTED-CHAR DQUOTE
> literal         = "{" number "}" CRLF *CHAR8
>                    ; Number represents the number of CHAR8s

> RFC3501 does not prohibit empty passwords, (snip)

As seen in definition, null(character of lenght=ZERO, not NUL=0x00 of ASCII) is not included in ATOM-CHAR. So, character of length=ZERO can not be a password defined by RFC 3501.
(Reporter)

Comment 3

8 years ago
(In reply to comment #2)
> RFC 3501 defines;
> > password        = astring
> > astring         = 1*ASTRING-CHAR / string
> > string          = quoted / literal
> > quoted          = DQUOTE *QUOTED-CHAR DQUOTE
> 
> As seen in definition, null(character of lenght=ZERO, not NUL=0x00 of ASCII) is
> not included in ATOM-CHAR. So, character of length=ZERO can not be a password
> defined by RFC 3501.

Sorry, but you are wrong.  password can be string and quoted, so password can be 

"" with *QUOTED-CHAR in between, and * means that it can be length 0.

Comment 4

4 months ago
(reporter email address is dead)

Jorg, what do you make of comment 3?  (or feel free to redirect to someone else)
Flags: needinfo?(jorgk)

Comment 5

4 months ago
I'm generally not good at reading RFCs ;-(
I was going to ask Alfred Peters (infofrommozilla@justmail.de) but sadly his account is disabled(?) :-(
Flags: needinfo?(jorgk) → needinfo?(gds)

Comment 6

4 months ago
(In reply to Antony from comment #3)
> (In reply to comment #2)
> > RFC 3501 defines;
> > > password        = astring
> > > astring         = 1*ASTRING-CHAR / string
> > > string          = quoted / literal
> > > quoted          = DQUOTE *QUOTED-CHAR DQUOTE
> > 
> > As seen in definition, null(character of lenght=ZERO, not NUL=0x00 of ASCII) is
> > not included in ATOM-CHAR. So, character of length=ZERO can not be a password
> > defined by RFC 3501.
> 
> Sorry, but you are wrong.  password can be string and quoted, so password
> can be 
> 
> "" with *QUOTED-CHAR in between, and * means that it can be length 0.

Note: The slashes mean OR.
I think reporter Antony is exactly right based on this:
========================================================================
RFC 2234             ABNF for Syntax Specifications        November 1997
3.6  Variable Repetition                                *Rule

   The operator "*" preceding an element indicates repetition. The full
   form is:

        <a>*<b>element

   where <a> and <b> are optional decimal values, indicating at least
   <a> and at most <b> occurrences of element.

   Default values are 0 and infinity so that *<element> allows any
   number, including zero; 1*<element> requires at  least  one;
   3*3<element> allows exactly 3 and 1*2<element> allows one or two.
======================================================================

So if the server accepts it, user gene should be able to authenticate with imap command:
ABCD login "gene" ""

I could ask on the IMAP mailing list to be more sure. I could also try to set up my local dovecot server with an "empty" password and see if it works (using telnet and then tb) if y'all think this is an important issue.
Flags: needinfo?(gds)

Comment 7

4 months ago
Nothing is too oddball where these issues are concerned
You need to log in before you can comment on or make changes to this bug.