MBOX-Line: From blong at google.com Wed Mar 8 11:10:03 2017 To: imap-protocol@u.washington.edu From: Brandon Long Date: Fri Jun 8 12:34:55 2018 Subject: [Imap-protocol] Gmail - OAUTH2 - failures since Feb 23 In-Reply-To: <5a39008c-b64b-5a0e-bffb-1163d76aa6cc@laposte.net> References: <5a39008c-b64b-5a0e-bffb-1163d76aa6cc@laposte.net> Message-ID: We don't use Apache, and the cause was quite a bit different, involving the storage of the token info on our side. Brandon On Mar 8, 2017 11:01 AM, "Gilles LAMIRAL" wrote: > Hi all, > > Isn't it the last Apache patch that now disallow "broken" (not strict > RFC7230 compliant) > http clients that still use \n instead of \r\n as end of lines? > > Using only \n now generates an Apache (2.2) 400 HTTP error, it looks like > some > sort of error code mapping with what described Kostya Vasilyev: > "using this token to log into Gmail would get "status code 400, > bad request" from Gmail's IMAP and SMTP servers." > > I saw this happening in Debian last apache 2.2 patch: > https://tracker.debian.org/news/839792 > * Security: CVE-2016-8743: > Enforce HTTP request grammar corresponding to RFC7230 for request > lines > and request headers, to prevent response splitting and cache > pollution by > malicious clients or downstream proxies. > * The stricter HTTP enforcement may cause compatibility problems with > non-conforming clients. Fine-tuning is possible with the new > HttpProtocolOptions directive. > > It's not strictly imap related but it shows again that http is almost > everywhere now. > > Le 24/02/2017 ? 17:55, Brandon Long a ?crit : > >> https://twitter.com/Google/status/834993667911737345 >> >> We had some issues with account login yesterday for oauth, it should all >> be resolved now. >> >> > -- > Au revoir, > Gilles Lamiral. France, Baulon (35580) > mob 06 19 22 03 54 > tel 09 51 84 42 42 > -------------- next part -------------- An HTML attachment was scrubbed... URL: