downstream: don't echo back SASL mechanism
Some clients will queue up multiple AUTHENTICATE commands without waiting for a reply to avoid some roundtrips. However that means the traffic looks like so: AUTHENTICATE <mechanism> AUTHENTICATE <base64 blob containing credentials> soju will fail the first command, and will behave as if no SASL authentication was in progress when interpreting the second one. This means we'll echo back the security-sensitive base64 blob to the client in the error message, which is definitely not great. Stop doing that.
This commit is contained in:
parent
9cdbee3b1b
commit
5b10348957
@ -1002,7 +1002,7 @@ func (dc *downstreamConn) handleAuthenticateCommand(msg *irc.Message) (result *d
|
|||||||
return nil, ircError{&irc.Message{
|
return nil, ircError{&irc.Message{
|
||||||
Prefix: dc.srv.prefix(),
|
Prefix: dc.srv.prefix(),
|
||||||
Command: irc.ERR_SASLFAIL,
|
Command: irc.ERR_SASLFAIL,
|
||||||
Params: []string{dc.nick, fmt.Sprintf("Unsupported SASL mechanism %q", mech)},
|
Params: []string{dc.nick, "Unsupported SASL mechanism"},
|
||||||
}}
|
}}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user