# HG changeset patch
# User Tobias Markmann <tm@ayena.de>
# Date 1296994817 -3600
# Node ID a65b56348034b38aae63c06315a71f056bee5e7e
# Parent  a2659baf8332dbc5e5e17d46be26bfc6f6f04c0a
util.sasl.scram: Checking the GS2 header for valid start flag.

diff -r a2659baf8332 -r a65b56348034 util/sasl/scram.lua
--- a/util/sasl/scram.lua	Mon Jan 17 16:50:21 2011 +0100
+++ b/util/sasl/scram.lua	Sun Feb 06 13:20:17 2011 +0100
@@ -131,6 +131,12 @@
 			self.state["gs2_cbind_flag"], self.state["gs2_cbind_name"], self.state["authzid"], self.state["name"], self.state["clientnonce"]
 				= client_first_message:match("^(%a)=?([%a%-]*),(.*),n=(.*),r=([^,]*).*");
 
+			-- check for invalid gs2_flag_type start
+			local gs2_flag_type == string.sub(self.state.gs2_cbind_flag, 0, 1)
+			if gs2_flag_type ~=  "y" and gs2_flag_type ~=  "n" and gs2_flag_type ~=  "p" then
+				return "failure", "malformed-request", "The GS2 header has to start with 'y', 'n', or 'p'."
+			end
+
 			if support_channel_binding then
 				if string.sub(self.state.gs2_cbind_flag, 0, 1) == "y" then
 					return "failure", "malformed-request";
@@ -141,6 +147,7 @@
 					return "failure", "malformed-request", "Proposed channel binding type isn't supported.";
 				end
 			else
+				-- we don't support channelbinding, 
 				if self.state.gs2_cbind_flag ~= "n" and self.state.gs2_cbind_flag ~= "y" then
 					return "failure", "malformed-request";
 				end