diff options
| author | Kim Alvefur <zash@zash.se> | 2023-05-26 17:39:53 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2023-05-26 17:39:53 +0200 |
| commit | 8f7b31f616545f788723f29306919551e55cbb5c (patch) | |
| tree | 0b43c77ad25451c305ff76b50768703db0be93e6 /util | |
| parent | dd2e84271facb85d6cc079094917cbe0feff7225 (diff) | |
| download | prosody-8f7b31f616545f788723f29306919551e55cbb5c.tar.gz prosody-8f7b31f616545f788723f29306919551e55cbb5c.zip | |
util.sasl.oauthbearer: Tighter parsing of SASL message
Previously the kvsep before and after the kvpairs would have been
included in kvpairs, which is incorrect but should be harmless.
Diffstat (limited to 'util')
| -rw-r--r-- | util/sasl/oauthbearer.lua | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/util/sasl/oauthbearer.lua b/util/sasl/oauthbearer.lua index 36ba5be4..0a2fe9dd 100644 --- a/util/sasl/oauthbearer.lua +++ b/util/sasl/oauthbearer.lua @@ -11,12 +11,14 @@ local function oauthbearer(self, message) return "failure", "not-authorized"; end - local gs2_header, kvpairs = message:match("^(n,[^,]*,)(.+)$"); + -- gs2-header kvsep *kvpair kvsep + local gs2_header, kvpairs = message:match("^(n,[^,]*,)\001(.+)\001$"); if not gs2_header then return "failure", "malformed-request"; end local gs2_authzid = gs2_header:match("^[^,]*,a=([^,]*),$"); + -- key "=" value kvsep local auth_header; for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do if k == "auth" then |