3325 – Password conversion from plaintext to encrypted does not handle ! as first char of plaintext password

Bug 3325 - Password conversion from plaintext to encrypted does not handle ! as first char of plaintext password

Summary: Password conversion from plaintext to encrypted does not handle ! as first ch...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	3.10.1
Hardware:	PC Linux

Importance:	P3 normal
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2014-11-09 01:21 UTC by Marvin
Modified:	2017-04-29 14:47 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marvin 2014-11-09 01:21:32 UTC

Password conversion from plaintext to encrypted does not handle ! as first char of plaintext password. If you migrate from sylpheed to claws you will encounter this problem. Should be a simple fix, I haven't looked at the code.

Comment 1 Paul 2014-11-09 13:14:39 UTC

(In reply to comment #0)
>  Should be a simple fix, I haven't looked at the code.

Waiting for your patch, in that case.

Comment 2 Marvin 2014-11-09 22:15:46 UTC

Good point but maybe I meant "should be simple, for someone that knows the code".
Can you point me to the code to look at? I did look around a little.

Comment 3 Marvin 2014-11-10 20:08:31 UTC

I've looked some more and ended up looking at passcrypt. I'm wondering if it's something to do with gchar which is c char which is by default signed on gcc but in passcrypt the crypt functions want unsigned.

When I encountered the problem my first thought was that some escaping of ! didn't happen somewhere but I don't find anything to support that thought.

Comment 4 Marvin 2014-11-13 18:26:02 UTC

Ok nothing to do with signedness.  That's what -Wno-pointer-sign is for.

But I wonder if anyone seeing this bug report knew right away what the problem was/is.

I looked at .claws-mail/accountrc and notice that each encrypted password begins with a !

Like so:
password=!abdCeF10293=
smtp_password=!etcetcetc=
in_ssl_client_cert_pass=!fubarfoobarorbarfoo=
out_ssl_client_cert_pass=!yesnoormaybeyes=

Or like this when no password has been set:

password=!


Why this has to be I can guess at but maybe someone knows exactly why.

My guess:
someone decided to use ! as a demarcation for the beginning of a
base64 encoded encrypted password string.

And somewhere, while encrypting, the ! is removed from unencrypted password strings.

Comment 5 Marvin 2014-11-13 18:37:08 UTC

I need to be explicit. And somewhere, while encrypting, the ! is removed from unencrypted password string when the ! occurs as the first char of the unecrypted password string.

Comment 6 Andrej Kacian 2017-04-29 14:47:45 UTC

When Claws Mail looks at the password in the preferences and sees it prefixed with '!', it assumes that what comes after the '!' is already encrypted. That is why this problem exists - if migrating from very old configuration, where passwords were stored directly in plaintext, any password starting with '!' will be problematic.

Unfortunately, at this point, I doubt anyone is going to spend their time fixing this corner case. Especially since Claws Mail has already moved on to yet another system for storing passwords.

Note You need to log in before you can comment on or make changes to this bug.