search

lhost / sendxmpp

perl-script to send xmpp (jabber), similar to what mail(1) does for mail.
64 stars 22 forks source link

passwords with spaces not supported in .sendxmpprc #9

Closed ben0x4a closed 10 years ago

ben0x4a commented 10 years ago

Since the fields in .sendxmpprc are whitespace seperated, there is no way to enter a password with a space in it.

matthiasbock commented 10 years ago

Are you sure? Have you tried quotation: "password" or 'password' ?

ben0x4a commented 10 years ago

I am sure. Adding quotes just makes things worse, the quotes get included as part of the password.

[ben@Nyx:~/projects/sendxmpp] cat ~/.sendxmpprc ben@im.office.gdi 'secret hello what' hello [ben@Nyx:~/projects/sendxmpp] echo "test message" | ./sendxmpp -v --ssl -j im.office.gdi ben@im.office.gdi Use of uninitialized value $args{"file"} in lc at /usr/share/perl5/Net/XMPP/Debug.pm line 154. syntax error in line 1 of /home/ben/.sendxmpprc

[ben@Nyx:~/projects/sendxmpp] cat ~/.sendxmpprc ben@im.office.gdi "secret hello what" hello [ben@Nyx:~/projects/sendxmpp] echo "test message" | ./sendxmpp -v --ssl -j im.office.gdi ben@im.office.gdi Use of uninitialized value $args{"file"} in lc at /usr/share/perl5/Net/XMPP/Debug.pm line 154. syntax error in line 1 of /home/ben/.sendxmpprc

[ben@Nyx:~/projects/sendxmpp] cat ~/.sendxmpprc ben@im.office.gdi "secrethello" there [ben@Nyx:~/projects/sendxmpp] echo "test message" | ./sendxmpp -v --ssl -j im.office.gdi ben@im.office.gdi Use of uninitialized value $args{"file"} in lc at /usr/share/perl5/Net/XMPP/Debug.pm line 154. sendxmpp: config: 'password' => '"secrethello"' sendxmpp: config: 'component' => 'there' sendxmpp: config: 'jserver' => 'im.office.gdi' sendxmpp: config: 'port' => '0' sendxmpp: config: 'username' => 'ben' sendxmpp: ssl_verify: 1 sendxmpp: tls_capath: Use of uninitialized value within @ in lc at /usr/share/perl5/XML/Stream/Parser.pm line 71. sendxmpp: Connect: 1 Error 'AuthSend': error: not-authorized[?] sendxmpp: Disconnect

It comes down to the regex here: if (/([.\w_#-]+)@([-.\w:;]+)\s+(\S+)\s*(\S+)?$/) { %config = ( 'username' => $1, 'jserver' => $2, 'port' => 0, 'password' => $3, 'component' => $4, );

The password (\S+) matches non-whitespace characters. No quoting or escaping is checked for. Adding support for quoting in the regex would be difficult without breaking passwords with quotation marks in them. Probably the best option would be to put each field on a seperate line, like: account: user server: server password: "password" component: componentname and consider everything between the first and last " part of the password, so ""hello there" => "hello there

lhost commented 10 years ago

Hi all,

I will check this issue this week and provide a patch. The biggest problem is backward compatibility but it is not a problem at all. :-)

Thanks for your report.

Regards, LH On Sep 12, 2014 5:20 PM, "ben0x4a" notifications@github.com wrote:

I am sure. Adding quotes just makes things worse, the quotes get included as part of the password.

[ben@Nyx:~/projects/sendxmpp] cat ~/.sendxmpprc ben@im.office.gdi 'secret hello what' hello [ben@Nyx:~/projects/sendxmpp] echo "test message" | ./sendxmpp -v --ssl -j im.office.gdi ben@im.office.gdi Use of uninitialized value $args{"file"} in lc at /usr/share/perl5/Net/XMPP/Debug.pm line 154. syntax error in line 1 of /home/ben/.sendxmpprc

[ben@Nyx:~/projects/sendxmpp] cat ~/.sendxmpprc ben@im.office.gdi "secret hello what" hello [ben@Nyx:~/projects/sendxmpp] echo "test message" | ./sendxmpp -v --ssl -j im.office.gdi ben@im.office.gdi Use of uninitialized value $args{"file"} in lc at /usr/share/perl5/Net/XMPP/Debug.pm line 154. syntax error in line 1 of /home/ben/.sendxmpprc

[ben@Nyx:~/projects/sendxmpp] cat ~/.sendxmpprc ben@im.office.gdi "secrethello" there [ben@Nyx:~/projects/sendxmpp] echo "test message" | ./sendxmpp -v --ssl -j im.office.gdi ben@im.office.gdi Use of uninitialized value $args{"file"} in lc at /usr/share/perl5/Net/XMPP/Debug.pm line 154. sendxmpp: config: 'password' => '"secrethello"' sendxmpp: config: 'component' => 'there' sendxmpp: config: 'jserver' => 'im.office.gdi' sendxmpp: config: 'port' => '0' sendxmpp: config: 'username' => 'ben' sendxmpp: ssl_verify: 1 sendxmpp: tls_capath: Use of uninitialized value within @ in lc at /usr/share/perl5/XML/Stream/Parser.pm line 71. sendxmpp: Connect: 1 Error 'AuthSend': error: not-authorized[?] sendxmpp: Disconnect

It comes down to the regex here: if (/([.\w_#-]+)@([-.\w:;]+)\s+(\S+)\s*(\S+)?$/) { %config = ( 'username' => $1, 'jserver' => $2, 'port' => 0, 'password' => $3, 'component' => $4, );

The password (\S+) matches non-whitespace characters. No quoting or escaping is checked for. Adding support for quoting in the regex would be difficult without breaking passwords with quotation marks in them. Probably the best option would be to put each field on a seperate line, like: account: user server: server password: "password" component: componentname and consider everything between the first and last " part of the password, so ""hello there" => "hello there

— Reply to this email directly or view it on GitHub https://github.com/lhost/sendxmpp/issues/9#issuecomment-55417969.

lhost commented 10 years ago

Fixed