[ejabberd] external auth

jbowers jbowers at barracuda.com
Wed Apr 15 21:10:19 MSD 2009


Jorge Guntanis wrote:
>> The password is the last argument, so you can just do something like 
>> this:
>>
>>    my ($op,$user,$domain, at buffer_remainder) = split /:/,$buf;
>>    my $password = join ':', @buffer_remainder;
>>
> Again part of above' problem, the module assumes you will take care of 
> this at a higher layer, and not allow that character from starters. 
> This is a good catch though, may be the module can separate the string 
> by using a character that can not be input directly from a keyboard. I 
> will work on a patch for this and submit it.
>
All that patch would do is break existing implementations.

I know it looks wrong, but it is actually safe. The op, user, and domain 
are guaranteed not to have colons in them. op can only be a handful of 
hard-coded strings and user and domain are forbidden to have colons by 
the XMPP standard itself: 
http://xmpp.org/internet-drafts/attic/draft-ietf-xmpp-nodeprep-03.html#prohibited

If the username or the domain have colons, the login process will 
terminate before it gets far enough to send a request to the external 
auth script. It is not an "assumption", it is a correct implementation 
of the defined standard that you can rely on.

As long as I'm replying, the perl code we use locally is: 

my ($op,$user,$domain,$password) = split /:/,$buf,4;

The "4" means it stops splitting at that point. I know we have users 
with colons in their password and it is not a problem.

----------------------------------
Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: www.barracudanetworks.com/spam



More information about the ejabberd mailing list