Do not mention disallowed auth mechanisms in REJECTED message

Previously, all implemented mechanisms were included, even if the
sysadmin had configured them not to be allowed.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99621

diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
index 9a1de97e7c7ddf530ee583914da1d1004d5f3159..37d8d4c96bc18a1c77f1f38ca6ec71ea523f5758 100644 (file)
--- a/dbus/dbus-auth.c
+++ b/dbus/dbus-auth.c
@@ -1485,9 +1485,14 @@ send_rejected (DBusAuth *auth)
                             "REJECTED"))
     goto nomem;
 
-  i = 0;
-  while (all_mechanisms[i].mechanism != NULL)
+  for (i = 0; all_mechanisms[i].mechanism != NULL; i++)
     {
+      /* skip mechanisms that aren't allowed */
+      if (auth->allowed_mechs != NULL &&
+          !_dbus_string_array_contains ((const char**)auth->allowed_mechs,
+                                        all_mechanisms[i].mechanism))
+        continue;
+
       if (!_dbus_string_append (&command,
                                 " "))
         goto nomem;
@@ -1495,8 +1500,6 @@ send_rejected (DBusAuth *auth)
       if (!_dbus_string_append (&command,
                                 all_mechanisms[i].mechanism))
         goto nomem;
-      
-      ++i;
     }
   
   if (!_dbus_string_append (&command, "\r\n"))