#362 closed defect (fixed)
sasl_get_part() does not handle spaces correctly
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Jabber | Version: | 1.1.1dev |
| Keywords: | sasl jabber digest-md5 nonce | Cc: | |
| IRC client+version: | Client-independent | Operating System: | Public server |
| OS version/distro: |
Description
When given a decoded base64 string with spaces during the authentication phase for XMPP, sasl_get_part() doesn't take into account that spaces may exist after commas in the data string. Thus, the digest-md5 mechanism fails because sasl_get_part() won't find what it needs in the string.
Example: jabberd2 will give a base64-encoded string of something like the following when asked to provide a challenge for digest-md5: realm="quadpoint.org", nonce="NPotlQpQf9RNYodOwierkQ==", qop="auth, auth-int", charset=utf-8, algorithm=md5-sess
A patch to fix this issue is attached. However, it only handles spaces after the commas, when it really should handle spaces anywhere outside of the double-quote-delimited strings. Consider it a temporary solution.
Attachments (0)
Change History (3)
comment:1 Changed at 2008-02-16T06:38:08Z by
comment:2 Changed at 2008-02-16T11:41:16Z by
According to http://www.ietf.org/rfc/rfc2831.txt, I only have to expect whitespace after the comma. And possibly more than one character, or even a tab. I'll try to make this work, probably with slightly different code. Thanks for finding this! I'm surprised that this hasn't come up before...
comment:3 Changed at 2008-02-16T13:24:45Z by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed in changeset:devel,329. As a bonus, the code should also be able to handle even more malformed challenges, and I added some unittests to prove it. (-:
Permission denied error when trying to attach a patch. Patch is instead available at http://f0rked.com/temp2/saslfix.patch