[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gsasl_client_suggest_mechanism() prefix matching
From: |
Simon Josefsson |
Subject: |
Re: gsasl_client_suggest_mechanism() prefix matching |
Date: |
Mon, 13 Jun 2022 07:51:58 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
"Kevin J. McCarthy" <kevin@8t8.us> writes:
> I was looking at how gsasl_client_suggest_mechanism() worked, and
> noticed it seems to accept prefixes matches inside the mechlist
> parameter.
>
> It grabs a valid mechanism using strspn():
> len = strspn (mechlist + i, GSASL_VALID_MECHANISM_CHARACTERS);
> and then further below checks:
> if (strncmp (ctx->client_mechs[j].name, mechlist + i, len) == 0)
>
> But this would seem to allow a substring prefix to suggest that
> mechanism. If that wasn't intended, would it be worth adding another
> check, something like:
> if ((strlen (ctx->client_mechs[j].name) == len) &&
> (strncmp (ctx->client_mechs[j].name, mechlist + i, len) == 0))
>
> Thank you!
Hi Kevin. Sorry for the delay in answering this. Indeed, you are
right, and this should be fixed here:
https://git.savannah.gnu.org/cgit/gsasl.git/commit/?id=874fe5dc06341cb6bfad4e3a44056f6f7af8c6e7
/Simon
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: gsasl_client_suggest_mechanism() prefix matching,
Simon Josefsson <=