1 files changed, 18 insertions, 3 deletions

diff --git a/lib/net/imap/authenticators/plain.rb b/lib/net/imap/authenticators/plain.rb
index 0829476c51..2b6051c0f2 100644
--- a/lib/net/imap/authenticators/plain.rb
+++ b/lib/net/imap/authenticators/plain.rb
@@ -4,15 +4,30 @@
 #
 # See RFC4616[https://tools.ietf.org/html/rfc4616] for the specification.
 class Net::IMAP::PlainAuthenticator
+
   def process(data)
-    return "\0#{@user}\0#{@password}"
+    return "#@authzid\0#@username\0#@password"
   end
 
+  NULL = -"\0".b
+
   private
 
-  def initialize(user, password)
-    @user = user
+  # +username+ is the authentication identity, the identity whose +password+ is
+  # used.  +username+ is referred to as +authcid+ by
+  # RFC4616[https://tools.ietf.org/html/rfc4616].
+  #
+  # +authzid+ is the authorization identity (identity to act as).  It can
+  # usually be left blank. When +authzid+ is left blank (nil or empty string)
+  # the server will derive an identity from the credentials and use that as the
+  # authorization identity.
+  def initialize(username, password, authzid: nil)
+    raise ArgumentError, "username contains NULL" if username&.include?(NULL)
+    raise ArgumentError, "password contains NULL" if password&.include?(NULL)
+    raise ArgumentError, "authzid  contains NULL" if authzid&.include?(NULL)
+    @username = username
     @password = password
+    @authzid  = authzid
   end
 
   Net::IMAP.add_authenticator "PLAIN", self