On Jul 15, 2007, at 2:58 AM, Robin Redeker wrote:
Hi!
First: http://ldap.perl.org/ says last release of perl-ldap
was (April 2005) but the changes file says:
perl-ldap 0.34 -- Sat Feb 10 17:39:49 CST 2007
I've spotted a problem in the Authen::SASL::Perl implementation.
To be more precise in Authen::SASL::Perl::DIGEST_MD5:
In client_step there is following code to parse the challenge:
while($challenge =~ s/^(?:\s*,)?\s*(\w+)=("([^\\"]+|\\.)*"|[^,]+)
\s*//) {
Would it not have worked to just change that first ? to be a * and
add (?:,\s*)* to the end
while($challenge =~ s/^(?:\s*,)*\s*(\w+)=("([^\\"]+|\\.)*"|[^,]+)
\s*(?:,\s*)*//) {
Graham.
The problem I stumbled accross was parsing of a GnuSASL challenge like
this:
', realm="....", nonce="dxv3yw4CGXoSwh7IgmEj2Q==", qop="auth,
auth-int, ", , , charset=utf-8, algorithm=md5-sess, '
This is a valid challenge by http://www.ietf.org/rfc/rfc2831.txt where
a digest-challenge looks like:
digest-challenge =
1#( realm | nonce | qop-options | stale | maxbuf | charset
algorithm | cipher-opts | auth-param )
And below in section '7.1 Augmented BNF' it says:
#rule
...
Wherever this construct is used, null elements are
allowed, but do not contribute to the count of elements
present. That is, "(element), , (element) "
The code above fails to parse these empty elements. A quick local
hack was this:
while($challenge =~ s/^(?:(?:\s*,)?\s*(\w+)=("([^\\"]+|\\.)*"|[^,]
+)\s*)|(?:(?:\s*,\s*))//) {
my ($k, $v) = ($1,$2);
next unless defined $1 or defined $2;
I don't like it, but it at leasts parses the GnuSASL challenge.
Greetings,
Robin Redeker
