sasl-3.1: Mention size limit of incoming SASL authentication messages

ircv3 / ircv3-specifications

IRCv3 specifications | Roadmap: https://git.io/IRCv3-Roadmap | Code of conduct: http://ircv3.net/conduct.html

http://ircv3.net

785 stars 79 forks source link

sasl-3.1: Mention size limit of incoming SASL authentication messages #529

Open delthas opened 1 year ago

delthas commented 1 year ago

An unauthenticated client can accumulate SASL message data by repeatedly sending 400-byte AUTHENTICATE messages.

A naive server implementation might accumulate SASL message data in a buffer indefinitely, causing... an OOM from unauthenticated users.

It could be useful to either mention this as advice to service developers (informational), or to mention a max limit (in bytes, probably) (informative, or even normative if we want to enforce a max size, but I suppose that it's too late for that).

slingamn commented 1 year ago

+1 for adding non-normative implementation guidance