Hi!
First: http://ldap.perl.org/ says last release of perl-ldap
was (April 2005) but the changes file says:
perl-ldap 0.34 -- Sat Feb 10 17:39:49 CST 2007
I've spotted a problem in the Authen::SASL::Perl implementation.
To be more precise in Authen::SASL::Perl::DIGEST_MD5:
In client_step there is following code to parse the challenge:
while($challenge =~ s/^(?:\s*,)?\s*(\w+)=("([^\\"]+|\\.)*"|[^,]+)\s*//) {
The problem I stumbled accross was parsing of a GnuSASL challenge like
this:
', realm="....", nonce="dxv3yw4CGXoSwh7IgmEj2Q==", qop="auth, auth-int, ",
, , charset=utf-8, algorithm=md5-sess, '
This is a valid challenge by http://www.ietf.org/rfc/rfc2831.txt where
a digest-challenge looks like:
digest-challenge =
1#( realm | nonce | qop-options | stale | maxbuf | charset
algorithm | cipher-opts | auth-param )
And below in section '7.1 Augmented BNF' it says:
#rule
...
Wherever this construct is used, null elements are
allowed, but do not contribute to the count of elements
present. That is, "(element), , (element) "
The code above fails to parse these empty elements. A quick local
hack was this:
while($challenge =~
s/^(?:(?:\s*,)?\s*(\w+)=("([^\\"]+|\\.)*"|[^,]+)\s*)|(?:(?:\s*,\s*))//) {
my ($k, $v) = ($1,$2);
next unless defined $1 or defined $2;
I don't like it, but it at leasts parses the GnuSASL challenge.
Greetings,
Robin Redeker
