(nnimap-login): Prefer AUTH=CRAM-MD5, if it's available.

This avoids sending passwords in plain text over non-encrypted
channels.

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 7e5abde..0fb65b8 100644 (file)
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,5 +1,9 @@
 2011-01-02  Lars Magne Ingebrigtsen  <larsi@gnus.org>
 
+       * nnimap.el (nnimap-login): Prefer AUTH=CRAM-MD5, if it's available.
+       This avoids sending passwords in plain text over non-encrypted
+       channels.
+
        * shr.el (shr-rescale-image): Display all GIF images as animated images.
 
        * nnimap.el (nnimap-login): Refactored out into own function, and

diff --git a/lisp/nnimap.el b/lisp/nnimap.el
index d316015..51fa532 100644 (file)
--- a/lisp/nnimap.el
+++ b/lisp/nnimap.el
@@ -411,15 +411,6 @@ textual parts.")
 
 (defun nnimap-login (user password)
   (cond
-   ((not (nnimap-capability "LOGINDISABLED"))
-    (nnimap-command "LOGIN %S %S" user password))
-   ((nnimap-capability "AUTH=PLAIN")
-    (nnimap-command
-     "AUTHENTICATE PLAIN %s"
-     (base64-encode-string
-      (format "\000%s\000%s"
-             (nnimap-quote-specials user)
-             (nnimap-quote-specials password)))))
    ((nnimap-capability "AUTH=CRAM-MD5")
     (erase-buffer)
     (let ((sequence (nnimap-send-command "AUTHENTICATE CRAM-MD5"))
@@ -432,7 +423,16 @@ textual parts.")
                 (rfc2104-hash 'md5 64 16 password
                               (base64-decode-string challenge))))
        "\r\n"))
-      (nnimap-wait-for-response sequence)))))
+      (nnimap-wait-for-response sequence)))
+   ((not (nnimap-capability "LOGINDISABLED"))
+    (nnimap-command "LOGIN %S %S" user password))
+   ((nnimap-capability "AUTH=PLAIN")
+    (nnimap-command
+     "AUTHENTICATE PLAIN %s"
+     (base64-encode-string
+      (format "\000%s\000%s"
+             (nnimap-quote-specials user)
+             (nnimap-quote-specials password)))))))
 
 (defun nnimap-quote-specials (string)
   (with-temp-buffer