Don't check IMAP PREAUTH encryption if $tunnel is in use

$tunnel is used to create an external encrypted connection. The default of $ssl_starttls is yes, meaning those kinds of connections will be broken by the CVE-2020-14093 fix. Upstream-commit: https://gitlab.com/muttmua/mutt/commit/dc909119b3433a84290f0095c0f43a23b98b3748 Co-authored-by: Pietro Cerutti <gahr@gahr.ch>
neomutt · Jun 24, 2020 · 37c98ed · 37c98ed
1 parent 5b00291
commit 37c98ed
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/imap/imap.c b/imap/imap.c
@@ -773,8 +773,8 @@ int imap_open_connection(struct ImapAccountData *adata)
   {
 #ifdef USE_SSL
     /* An unencrypted PREAUTH response is most likely a MITM attack.
-     * Require a confirmation. */
-    if (adata->conn->ssf == 0)
+     * Require a confirmation unless using $tunnel. */
+    if ((adata->conn->ssf == 0) && !C_Tunnel)
     {
       bool proceed = true;
       if (C_SslForceTls)