aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2023-05-26 17:39:53 +0200
committerKim Alvefur <zash@zash.se>2023-05-26 17:39:53 +0200
commit8f7b31f616545f788723f29306919551e55cbb5c (patch)
tree0b43c77ad25451c305ff76b50768703db0be93e6
parentdd2e84271facb85d6cc079094917cbe0feff7225 (diff)
downloadprosody-8f7b31f616545f788723f29306919551e55cbb5c.tar.gz
prosody-8f7b31f616545f788723f29306919551e55cbb5c.zip
util.sasl.oauthbearer: Tighter parsing of SASL message
Previously the kvsep before and after the kvpairs would have been included in kvpairs, which is incorrect but should be harmless.
-rw-r--r--util/sasl/oauthbearer.lua4
1 files changed, 3 insertions, 1 deletions
diff --git a/util/sasl/oauthbearer.lua b/util/sasl/oauthbearer.lua
index 36ba5be4..0a2fe9dd 100644
--- a/util/sasl/oauthbearer.lua
+++ b/util/sasl/oauthbearer.lua
@@ -11,12 +11,14 @@ local function oauthbearer(self, message)
return "failure", "not-authorized";
end
- local gs2_header, kvpairs = message:match("^(n,[^,]*,)(.+)$");
+ -- gs2-header kvsep *kvpair kvsep
+ local gs2_header, kvpairs = message:match("^(n,[^,]*,)\001(.+)\001$");
if not gs2_header then
return "failure", "malformed-request";
end
local gs2_authzid = gs2_header:match("^[^,]*,a=([^,]*),$");
+ -- key "=" value kvsep
local auth_header;
for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do
if k == "auth" then