mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-01 20:27:39 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

util.sasl.oauthbearer: Tighter parsing of SASL message

Browse source 
Previously the kvsep before and after the kvpairs would have been
included in kvpairs, which is incorrect but should be harmless.
This commit is contained in:
Kim Alvefur 2023-05-26 17:39:53 +02:00
parent dd2e84271f
commit 8f7b31f616
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
util/sasl/oauthbearer.lua
View file

@ -11,12 +11,14 @@ local function oauthbearer(self, message)
return "failure", "not-authorized";
end
local gs2_header, kvpairs = message:match("^(n,[^,]*,)(.+)$");
-- gs2-header kvsep *kvpair kvsep
local gs2_header, kvpairs = message:match("^(n,[^,]*,)\001(.+)\001$");
if not gs2_header then
return "failure", "malformed-request";
end
local gs2_authzid = gs2_header:match("^[^,]*,a=([^,]*),$");
-- key "=" value kvsep
local auth_header;
for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do
if k == "auth" then