diff options
| -rw-r--r-- | plugins/mod_saslauth.lua | 7 | ||||
| -rw-r--r-- | util/sasl.lua | 8 |
2 files changed, 10 insertions, 5 deletions
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 8d3b4ae4..da66717c 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -1,7 +1,7 @@ -- Prosody IM -- Copyright (C) 2008-2009 Matthew Wild -- Copyright (C) 2008-2009 Waqas Hussain --- +-- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- @@ -13,6 +13,7 @@ local sm_bind_resource = require "core.sessionmanager".bind_resource; local sm_make_authenticated = require "core.sessionmanager".make_authenticated; local base64 = require "util.encodings".base64; +local nodeprep = require "util.encodings".stringprep.nodeprep; local datamanager_load = require "util.datamanager".load; local usermanager_validate_credentials = require "core.usermanager".validate_credentials; local usermanager_get_supported_methods = require "core.usermanager".get_supported_methods; @@ -70,6 +71,10 @@ end local function credentials_callback(mechanism, ...) if mechanism == "PLAIN" then local username, hostname, password = ...; + username = nodeprep(username); + if not username then + return false; + end local response = usermanager_validate_credentials(hostname, username, password, mechanism); if response == nil then return false; diff --git a/util/sasl.lua b/util/sasl.lua index 444d4cf4..d176fd85 100644 --- a/util/sasl.lua +++ b/util/sasl.lua @@ -38,9 +38,9 @@ local function new_plain(realm, credentials_handler) function object.feed(self, message) if message == "" or message == nil then return "failure", "malformed-request" end local response = message - local authorization = s_match(response, "([^&%z]+)") - local authentication = s_match(response, "%z([^&%z]+)%z") - local password = s_match(response, "%z[^&%z]+%z([^&%z]+)") + local authorization = s_match(response, "([^%z]+)") + local authentication = s_match(response, "%z([^%z]+)%z") + local password = s_match(response, "%z[^%z]+%z([^%z]+)") if authentication == nil or password == nil then return "failure", "malformed-request" end self.username = authentication @@ -128,7 +128,7 @@ local function new_digest_md5(realm, credentials_handler) return t_concat(p); end local function parse(data) - message = {} + local message = {} for k, v in gmatch(data, [[([%w%-]+)="?([^",]*)"?,?]]) do -- FIXME The hacky regex makes me shudder message[k] = v; end |