downstream: don't echo back SASL mechanism

Some clients will queue up multiple AUTHENTICATE commands without
waiting for a reply to avoid some roundtrips. However that means
the traffic looks like so:

    AUTHENTICATE <mechanism>
    AUTHENTICATE <base64 blob containing credentials>

soju will fail the first command, and will behave as if no SASL
authentication was in progress when interpreting the second one.
This means we'll echo back the security-sensitive base64 blob to
the client in the error message, which is definitely not great.

Stop doing that.
This commit is contained in:
Simon Ser 2022-09-12 21:42:03 +02:00
parent 9cdbee3b1b
commit 5b10348957

View File

@ -1002,7 +1002,7 @@ func (dc *downstreamConn) handleAuthenticateCommand(msg *irc.Message) (result *d
return nil, ircError{&irc.Message{ return nil, ircError{&irc.Message{
Prefix: dc.srv.prefix(), Prefix: dc.srv.prefix(),
Command: irc.ERR_SASLFAIL, Command: irc.ERR_SASLFAIL,
Params: []string{dc.nick, fmt.Sprintf("Unsupported SASL mechanism %q", mech)}, Params: []string{dc.nick, "Unsupported SASL mechanism"},
}} }}
} }