checking stringprep in scram authentication

2024-11-22 16:20:52 +01:00 · 2015-01-08 14:12:05 +09:00 · 2015-01-08 14:12:05 +09:00 · ede5a353e8
commit ede5a353e8
parent afaf68159d
1 changed files with 4 additions and 2 deletions
--- a/src/cyrsasl_scram.erl
+++ b/src/cyrsasl_scram.erl
@ -76,9 +76,11 @@ mech_step(#state{step = 2} = State, ClientIn) ->
 		  UserName ->
 		      case parse_attribute(ClientNonceAttribute) of
 			{$r, ClientNonce} ->
-			    case (State#state.get_password)(UserName) of
+			    {Ret, _AuthModule} = (State#state.get_password)(UserName),
+			    case {Ret, jlib:resourceprep(Ret)} of
 			      {false, _} -> {error, <<"not-authorized">>, UserName};
-			      {Ret, _AuthModule} ->
+			      {_, error} -> ?WARNING_MSG("invalid password", []), {error, <<"not-authorized">>, UserName};
+			      {Ret, _} ->
 				  {StoredKey, ServerKey, Salt, IterationCount} =
 				      if is_tuple(Ret) -> Ret;
 					 true ->