auth: disable PLAIN when other mechanisms are supported

PLAIN mechanism sends password in BASE64 encoding which everyone can
read. As result, debug logs expose password and users often don't remove
it when post the logs in the Internet.

Usually, both a secure mechanism and PLAIN are used in the scenario when
username or password is incorrect. PLAIN fails in this scenario anyway.
This commit is contained in:
Dmitry Podgorny
2019-10-01 23:38:50 +03:00
parent 30f3cc9263
commit 2bf5cc0e41
2 changed files with 5 additions and 0 deletions

View File

@@ -259,6 +259,10 @@ static int _handle_features(xmpp_conn_t * const conn,
}
}
/* Disable PLAIN when other secure mechanisms are supported */
if (conn->sasl_support & ~(SASL_MASK_PLAIN | SASL_MASK_ANONYMOUS))
conn->sasl_support &= ~SASL_MASK_PLAIN;
_auth(conn);
return 0;