• Russ Cox's avatar
    net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers · ec3b6131
    Russ Cox authored
    PlainAuth originally refused to send passwords to non-TLS servers
    and was documented as such.
    
    In 2013, issue #5184 was filed objecting to the TLS requirement,
    despite the fact that it is spelled out clearly in RFC 4954.
    The only possibly legitimate use case raised was using PLAIN auth
    for connections to localhost, and the suggested fix was to let the
    server decide: if it advertises that PLAIN auth is OK, believe it.
    That approach was adopted in CL 8279043 and released in Go 1.1.
    
    Unfortunately, this is exactly wrong. The whole point of the TLS
    requirement is to make sure not to send the password to the wrong
    server or to a man-in-the-middle. Instead of implementing this rule,
    CL 8279043 blindly trusts the server, so that if a man-in-the-middle
    says "it's OK, you can send me your password," PlainAuth does.
    And the documentation was not updated to reflect any of this.
    
    This CL restores the original TLS check, as required by RFC 4954
    and as promised in the documentation for PlainAuth.
    It then carves out a documented exception for connections made
    to localhost (defined as "localhost", "127.0.0.1", or "::1").
    
    Change-Id: I1d3729bbd33aa2f11a03f4c000e6bb473164957b
    Reviewed-on: https://go-review.googlesource.com/68170
    Run-TryBot: Russ Cox <rsc@golang.org>
    Reviewed-by: 's avatarIan Lance Taylor <iant@golang.org>
    Reviewed-by: 's avatarDavid Crawshaw <crawshaw@golang.org>
    ec3b6131
auth.go 3.75 KB