auth: disable PLAIN when other mechanisms are supported
PLAIN mechanism sends password in BASE64 encoding which everyone can read. As result, debug logs expose password and users often don't remove it when post the logs in the Internet. Usually, both a secure mechanism and PLAIN are used in the scenario when username or password is incorrect. PLAIN fails in this scenario anyway.
This commit is contained in:
@@ -259,6 +259,10 @@ static int _handle_features(xmpp_conn_t * const conn,
|
||||
}
|
||||
}
|
||||
|
||||
/* Disable PLAIN when other secure mechanisms are supported */
|
||||
if (conn->sasl_support & ~(SASL_MASK_PLAIN | SASL_MASK_ANONYMOUS))
|
||||
conn->sasl_support &= ~SASL_MASK_PLAIN;
|
||||
|
||||
_auth(conn);
|
||||
|
||||
return 0;
|
||||
|
||||
Reference in New Issue
Block a user