Mercurial > prosody-modules
view mod_sasl_ssdp/mod_sasl_ssdp.lua @ 5956:97375a78d2b5
mod_http_oauth2: Reject URLs with 'userinfo' part (thanks mimi89999)
The LuaSocket parser supports these but they're deprecated without
replacement by RFC 3986
> Use of the format "user:password" in the userinfo field is deprecated
Allowing it in OAuth2 URLs is probably bad from a security perspective.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 29 Aug 2024 16:02:46 +0200 |
parents | bb51cf204dd4 |
children |
line wrap: on
line source
local array = require "util.array"; local hashes = require "util.hashes"; local it = require "util.iterators"; local base64_enc = require "util.encodings".base64.encode; local hash_functions = { ["SCRAM-SHA-1"] = hashes.sha1; ["SCRAM-SHA-1-PLUS"] = hashes.sha1; ["SCRAM-SHA-256"] = hashes.sha256; ["SCRAM-SHA-256-PLUS"] = hashes.sha256; }; function add_ssdp_info(event) local sasl_handler = event.session.sasl_handler; local hash = hash_functions[sasl_handler.selected]; if not hash then module:log("debug", "Not enabling SSDP for unsupported mechanism: %s", sasl_handler.selected); return; end local mechanism_list = array.collect(it.keys(sasl_handler:mechanisms())):sort(); local cb = sasl_handler.profile.cb; local cb_list = cb and array.collect(it.keys(cb)):sort(); local ssdp_string; if cb_list then ssdp_string = mechanism_list:concat(",").."|"..cb_list:concat(","); else ssdp_string = mechanism_list:concat(","); end module:log("debug", "Calculated SSDP string: %s", ssdp_string); event.message = event.message..",d="..base64_enc(hash(ssdp_string)); sasl_handler.state.server_first_message = event.message; end module:hook("sasl/c2s/challenge", add_ssdp_info, 1); module:hook("sasl2/c2s/challenge", add_ssdp_info, 1);