sbonazzo / rpms / cyrus-sasl

Forked from rpms/cyrus-sasl 2 years ago
Clone
Source Code
GIT

Files

  1.   98b3ea92cc2d9a260ba7c777d74d0351a64a7c7c
  2.   SOURCES
  3.   cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
Blob Blame History Raw 
From 7739268e775e6ed91509727b014cc1d367ad386d Mon Sep 17 00:00:00 2001
From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Sun, 30 Mar 2014 15:13:34 +0100
Subject: When processing a list of mechanism names, we shouldn't allow a short
 prefix match the whole mechanism name

"A", "AN", etc where matching "ANONYMOUS". This patch fixes that.

As reported by plautrba@redhat.com

diff --git a/lib/common.c b/lib/common.c
index e0f59eb..672fe2f 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -2428,6 +2428,11 @@ int _sasl_is_equal_mech(const char *req_mech,
         *plus = 0;
     }
 
+    if (n < strlen(plug_mech)) {
+	/* Don't allow arbitrary prefix match */
+	return 0;
+    }
+
     return (strncasecmp(req_mech, plug_mech, n) == 0);
 }
 
-- 
cgit v0.10.2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation