[Pidgin] #11320: Pidgin incorrectly requests plaintext auth over an unencrypted connection for XMPP if an unknown mechanism is seen by cyrus-sasl
Pidgin
trac at pidgin.im
Wed Feb 10 15:26:12 EST 2010
#11320: Pidgin incorrectly requests plaintext auth over an unencrypted connection
for XMPP if an unknown mechanism is seen by cyrus-sasl
-------------------------+--------------------------------------------------
Reporter: dreiss | Owner: deryni
Type: enhancement | Status: new
Milestone: | Component: XMPP
Version: 2.6.4 | Resolution:
Keywords: |
-------------------------+--------------------------------------------------
Comment(by darkrain42):
I think so (if you do this, base your patch on im.pidgin.pidgin trunk, or
wait until 2.6.6 is released, because I moved the auth code all around).
Instead of saying "Authentication failed", though, fall back to legacy
auth (I think that will keep "compatibility").
It looks to me like the warning/password prompt currently can appear even
if there aren't any more mechanisms offered by the server (e.g., the
server advertises DIGEST-MD5. We try DIGEST-MD5 and it fails, so that
mechanism is removed from the available list. We then try again, and (I
assume) cyrus returns SASL_NOMECH, so we prompt for a password/plaintext
auth). I didn't test this, so maybe that can't occur, but if it does,
that should be fixed (try to fallback to the legacy auth immediately if
the mech list is empty/all whitespace).
--
Ticket URL: <http://developer.pidgin.im/ticket/11320#comment:3>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list