From 72e415f8233f2a67f2296b6061618ca5269df593 Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Sat, 15 Nov 2008 19:12:05 +0100
Subject: Adding some TODO for some security issue.

---
 plugins/mod_saslauth.lua | 1 +
 1 file changed, 1 insertion(+)

(limited to 'plugins/mod_saslauth.lua')

diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index dd268555..6b945bfc 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -115,6 +115,7 @@ add_event_hook("stream-features",
 					function (session, features)												
 						if not session.username then
 							t_insert(features, "<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>");
+							-- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so.
 								t_insert(features, "<mechanism>PLAIN</mechanism>");
 								t_insert(features, "<mechanism>DIGEST-MD5</mechanism>");
 							t_insert(features, "</mechanisms>");
-- 
cgit v1.2.3