sbonazzo / rpms / cyrus-sasl

Forked from rpms/cyrus-sasl 2 years ago
Clone
Source Code
GIT

Blame SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9-beta
  1.   c7-alt
  2.   SOURCES
  3.   cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
Blob History Raw
b9abc1 
From 7739268e775e6ed91509727b014cc1d367ad386d Mon Sep 17 00:00:00 2001
b9abc1 
From: Alexey Melnikov <alexey.melnikov@isode.com>
b9abc1 
Date: Sun, 30 Mar 2014 15:13:34 +0100
b9abc1 
Subject: When processing a list of mechanism names, we shouldn't allow a short
b9abc1 
 prefix match the whole mechanism name
b9abc1
b9abc1 
"A", "AN", etc where matching "ANONYMOUS". This patch fixes that.
b9abc1
b9abc1 
As reported by plautrba@redhat.com
b9abc1
b9abc1 
diff --git a/lib/common.c b/lib/common.c
b9abc1 
index e0f59eb..672fe2f 100644
b9abc1 
--- a/lib/common.c
b9abc1 
+++ b/lib/common.c
b9abc1 
@@ -2428,6 +2428,11 @@ int _sasl_is_equal_mech(const char *req_mech,
b9abc1 
         *plus = 0;
b9abc1 
     }
b9abc1
b9abc1 
+    if (n < strlen(plug_mech)) {
b9abc1 
+	/* Don't allow arbitrary prefix match */
b9abc1 
+	return 0;
b9abc1 
+    }
b9abc1 
+
b9abc1 
     return (strncasecmp(req_mech, plug_mech, n) == 0);
b9abc1 
 }
b9abc1
b9abc1 
--
b9abc1 
cgit v0.10.2
b9abc1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation