Skip to content
This repository was archived by the owner on Jun 24, 2021. It is now read-only.

Commit 818a3fd

Browse files
committed
SASL: Disallow beginning : and space anywhere in AUTHENTICATE parameter
This is a FIX FOR A SECURITY VULNERABILITY. All Charybdis users must apply this fix if you support SASL on your servers, or unload m_sasl.so in the meantime.
1 parent f92b4d8 commit 818a3fd

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

Diff for: modules/m_sasl.c

+6
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,12 @@ m_authenticate(struct Client *client_p, struct Client *source_p,
9191
return 0;
9292
}
9393

94+
if (*parv[1] == ':' || strchr(parv[1], ' '))
95+
{
96+
exit_client(client_p, client_p, client_p, "Malformed AUTHENTICATE");
97+
return 0;
98+
}
99+
94100
saslserv_p = find_named_client(ConfigFileEntry.sasl_service);
95101
if (saslserv_p == NULL || !IsService(saslserv_p))
96102
{

0 commit comments

Comments
 (0)