#362 closed defect (fixed)

sasl_get_part() does not handle spaces correctly

Reported by: root@… Owned by:
Priority: normal Milestone:
Component: Jabber Version: 1.1.1dev
Keywords: sasl jabber digest-md5 nonce Cc:
IRC client+version: Client-independent Operating System: Public server
OS version/distro:


When given a decoded base64 string with spaces during the authentication phase for XMPP, sasl_get_part() doesn't take into account that spaces may exist after commas in the data string. Thus, the digest-md5 mechanism fails because sasl_get_part() won't find what it needs in the string.

Example: jabberd2 will give a base64-encoded string of something like the following when asked to provide a challenge for digest-md5: realm="", nonce="NPotlQpQf9RNYodOwierkQ==", qop="auth, auth-int", charset=utf-8, algorithm=md5-sess

A patch to fix this issue is attached. However, it only handles spaces after the commas, when it really should handle spaces anywhere outside of the double-quote-delimited strings. Consider it a temporary solution.

Attachments (0)

Change History (3)

comment:1 Changed at 2008-02-16T06:38:08Z by root@…

Permission denied error when trying to attach a patch. Patch is instead available at

comment:2 Changed at 2008-02-16T11:41:16Z by wilmer

According to, I only have to expect whitespace after the comma. And possibly more than one character, or even a tab. I'll try to make this work, probably with slightly different code. Thanks for finding this! I'm surprised that this hasn't come up before...

comment:3 Changed at 2008-02-16T13:24:45Z by wilmer

Resolution: fixed
Status: newclosed

Fixed in changeset:devel,329. As a bonus, the code should also be able to handle even more malformed challenges, and I added some unittests to prove it. (-:

Modify Ticket

as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.