From 8f7b31f616545f788723f29306919551e55cbb5c Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 26 May 2023 17:39:53 +0200
Subject: util.sasl.oauthbearer: Tighter parsing of SASL message

Previously the kvsep before and after the kvpairs would have been
included in kvpairs, which is incorrect but should be harmless.
---
 util/sasl/oauthbearer.lua | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/util/sasl/oauthbearer.lua b/util/sasl/oauthbearer.lua
index 36ba5be4..0a2fe9dd 100644
--- a/util/sasl/oauthbearer.lua
+++ b/util/sasl/oauthbearer.lua
@@ -11,12 +11,14 @@ local function oauthbearer(self, message)
 		return "failure", "not-authorized";
 	end
 
-	local gs2_header, kvpairs = message:match("^(n,[^,]*,)(.+)$");
+	-- gs2-header kvsep *kvpair kvsep
+	local gs2_header, kvpairs = message:match("^(n,[^,]*,)\001(.+)\001$");
 	if not gs2_header then
 		return "failure", "malformed-request";
 	end
 	local gs2_authzid = gs2_header:match("^[^,]*,a=([^,]*),$");
 
+	-- key "=" value kvsep
 	local auth_header;
 	for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do
 		if k == "auth" then
-- 
cgit v1.2.3