The Lua function string.find() with two arguments only does pattern
matching. The way it's used here means the email and domain returned
by Google is interpreted as pattern. If the email contains characters
which have special meaning in patterns (like . and -) this leads
to unwanted behaviour. Either the email doesn't match even it should
and denies access. Or (worse) it matches even it shouldn't and grants
access.
The fix uses all four arguments, the 4th parameter true turns off
pattern matching so the function does a plain substring search.
bobrik
commented
7 years ago
The Lua function
string.find()with two arguments only does pattern matching. The way it's used here means the email and domain returned by Google is interpreted as pattern. If the email contains characters which have special meaning in patterns (like.and-) this leads to unwanted behaviour. Either the email doesn't match even it should and denies access. Or (worse) it matches even it shouldn't and grants access.The fix uses all four arguments, the 4th parameter
trueturns off pattern matching so the function does a plain substring search.