prefiks
commented
3 years ago Both user and server can't have ':' in them, and password which can have it, is always last element. So it should be possibly to always parse input unambiguous.
Closed dseomn closed 3 years ago
prefiks
commented
3 years ago Both user and server can't have ':' in them, and password which can have it, is always last element. So it should be possibly to always parse input unambiguous.
badlop
commented
3 years ago Ok, I've added this clarification to the developers section
Is your feature request related to a problem? Please describe. https://docs.ejabberd.im/developer/guide/#external shows colons separating fields in the external authentication protocol. The Password field is untrusted input, so how does the protocol work if the user sends a password that contains a colon? Is it possible for the User field to contain a colon? Or for the Server field to have a colon (e.g., an IPv6 address)? If either the User or Server field can have colons, how does the external authentication program tell where the boundary between fields is? If the Password field can have colons, I'm guessing the external authentication program should just treat everything after the third colon as part of the password?
Describe the solution you'd like Clarifying the above questions in the documentation would be nice, to avoid bugs around untrusted input.
Describe alternatives you've considered N/A
Additional context N/A