[ejabberd] external auth

jbowers jbowers at barracuda.com
Wed Apr 15 21:10:19 MSD 2009

Jorge Guntanis wrote:
>> The password is the last argument, so you can just do something like 
>> this:
>>    my ($op,$user,$domain, at buffer_remainder) = split /:/,$buf;
>>    my $password = join ':', @buffer_remainder;
> Again part of above' problem, the module assumes you will take care of 
> this at a higher layer, and not allow that character from starters. 
> This is a good catch though, may be the module can separate the string 
> by using a character that can not be input directly from a keyboard. I 
> will work on a patch for this and submit it.
All that patch would do is break existing implementations.

I know it looks wrong, but it is actually safe. The op, user, and domain 
are guaranteed not to have colons in them. op can only be a handful of 
hard-coded strings and user and domain are forbidden to have colons by 
the XMPP standard itself: 

If the username or the domain have colons, the login process will 
terminate before it gets far enough to send a request to the external 
auth script. It is not an "assumption", it is a correct implementation 
of the defined standard that you can rely on.

As long as I'm replying, the perl code we use locally is: 

my ($op,$user,$domain,$password) = split /:/,$buf,4;

The "4" means it stops splitting at that point. I know we have users 
with colons in their password and it is not a problem.

Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: www.barracudanetworks.com/spam

More information about the ejabberd mailing list