lib-sasl: sasl-client-mech-oauthbearer - Prevent sending unsupported characters in...

diff --git a/src/lib-sasl/dsasl-client-mech-oauthbearer.c b/src/lib-sasl/dsasl-client-mech-oauthbearer.c
index 6b8d81f84ab9025d238d1f0001f8384526cccadf..e6ebfe4ebbd4f690f2a98cd28b53478e8dc959a6 100644 (file)
--- a/src/lib-sasl/dsasl-client-mech-oauthbearer.c
+++ b/src/lib-sasl/dsasl-client-mech-oauthbearer.c
@@ -6,6 +6,7 @@
 #include "json-istream.h"
 #include "istream.h"
 #include "auth-gs2.h"
+#include "sasl-oauth2.h"
 #include "dsasl-client-private.h"
 
 struct oauthbearer_dsasl_client {
@@ -105,6 +106,10 @@ mech_oauthbearer_output(struct dsasl_client *_client,
                *error_r = "password not set";
                return DSASL_CLIENT_RESULT_ERR_INTERNAL;
        }
+       if (!sasl_oauth2_kvpair_check_value(_client->password)) {
+               *error_r = "password contains unsupported characters";
+               return DSASL_CLIENT_RESULT_ERR_INTERNAL;
+       }
 
        struct auth_gs2_header gs2_header = {
                .authzid = _client->set.authid,
@@ -143,6 +148,10 @@ mech_xoauth2_output(struct dsasl_client *_client,
                *error_r = "password not set";
                return DSASL_CLIENT_RESULT_ERR_INTERNAL;
        }
+       if (strchr(_client->password, 0x01) != NULL) {
+               *error_r = "password contains unsupported characters";
+               return DSASL_CLIENT_RESULT_ERR_INTERNAL;
+       }
 
        str = str_new(_client->pool, 64);
 

diff --git a/src/lib-sasl/sasl-oauth2.c b/src/lib-sasl/sasl-oauth2.c
index cfb4ce991528cce6d6a5cbb3987675c0b7d17fc4..15b6737cf6b7751ff3e57f56955755cb9dd073d6 100644 (file)
--- a/src/lib-sasl/sasl-oauth2.c
+++ b/src/lib-sasl/sasl-oauth2.c
@@ -85,3 +85,14 @@ int sasl_oauth2_kvpair_parse(const unsigned char *data, size_t size,
        *end_r = p;
        return 0;
 }
+
+bool sasl_oauth2_kvpair_check_value(const char *value)
+{
+       const unsigned char *p = (const unsigned char *)value;
+       const unsigned char *pend = p + strlen(value);
+
+       while (p < pend && (char_lookup[*p] & value_mask) != 0x00)
+               p++;
+
+       return (p == pend);
+}

diff --git a/src/lib-sasl/sasl-oauth2.h b/src/lib-sasl/sasl-oauth2.h
index a9640b825263d20b95bb68d4de42b660412ca669..9b58e0f232ddbf83aaa7ad244ef05cddeb0ad7f0 100644 (file)
--- a/src/lib-sasl/sasl-oauth2.h
+++ b/src/lib-sasl/sasl-oauth2.h
@@ -6,4 +6,6 @@ int sasl_oauth2_kvpair_parse(const unsigned char *data, size_t size,
                             const unsigned char **end_r,
                             const char **error_r);
 
+bool sasl_oauth2_kvpair_check_value(const char *value);
+
 #endif

diff --git a/src/lib-sasl/test-sasl-oauth2.c b/src/lib-sasl/test-sasl-oauth2.c
index 1bf43a52fc17a38c8a912a80bc85365cb3b7c4db..c142e400ef0211c7b5c5a1224acea8ad2566f2a3 100644 (file)
--- a/src/lib-sasl/test-sasl-oauth2.c
+++ b/src/lib-sasl/test-sasl-oauth2.c
@@ -155,6 +155,8 @@ test_kvpair_valid_next(const unsigned char **in, const unsigned char *in_end,
 
        test_assert_strcmp(key, test->key);
        test_assert_strcmp(value, test->value);
+
+       test_assert(sasl_oauth2_kvpair_check_value(value));
 }
 
 static void test_kvpair_valid(void)