Software /
code /
prosody
Changeset
3552:8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
author | Waqas Hussain <waqas20@gmail.com> |
---|---|
date | Tue, 02 Nov 2010 22:05:19 +0500 |
parents | 3551:4fba723ab235 |
children | 3553:1f0af8572f15 |
files | plugins/mod_saslauth.lua |
diffstat | 1 files changed, 26 insertions(+), 25 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_saslauth.lua Tue Nov 02 21:19:50 2010 +0500 +++ b/plugins/mod_saslauth.lua Tue Nov 02 22:05:19 2010 +0500 @@ -91,39 +91,40 @@ return true; end -local function sasl_handler(event) +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) local session, stanza = event.origin, event.stanza; if session.type ~= "c2s_unauthed" then return; end - if stanza.name == "auth" then - -- FIXME ignoring duplicates because ejabberd does - local mechanism = stanza.attr.mechanism; - if anonymous_login then - if mechanism ~= "ANONYMOUS" then - session.send(build_reply("failure", "invalid-mechanism")); - return true; - end - elseif mechanism == "ANONYMOUS" then - session.send(build_reply("failure", "mechanism-too-weak")); - return true; - end - if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then - session.send(build_reply("failure", "encryption-required")); - return true; - end - local valid_mechanism = session.sasl_handler:select(mechanism); - if not valid_mechanism then + -- FIXME ignoring duplicates because ejabberd does + local mechanism = stanza.attr.mechanism; + if anonymous_login then + if mechanism ~= "ANONYMOUS" then session.send(build_reply("failure", "invalid-mechanism")); return true; end - elseif not session.sasl_handler then - return true; -- FIXME ignoring out of order stanzas because ejabberd does + elseif mechanism == "ANONYMOUS" then + session.send(build_reply("failure", "mechanism-too-weak")); + return true; + end + if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then + session.send(build_reply("failure", "encryption-required")); + return true; + end + local valid_mechanism = session.sasl_handler:select(mechanism); + if not valid_mechanism then + session.send(build_reply("failure", "invalid-mechanism")); + return true; end return sasl_process_cdata(session, stanza); -end - -module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", sasl_handler); -module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", sasl_handler); +end); +module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event) + local session = event.origin; + if not(session.sasl_handler and session.sasl_handler.selected) then + session.send(build_reply("failure", "not-authorized", "Out of order SASL element")); + return true; + end + return sasl_process_cdata(session, event.stanza); +end); module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event) local session = event.origin; session.sasl_handler = nil;