More robust SASL PLAIN parsing - cope with any number of \0's being present without falling over.

author: Simon MacMullen <simon@rabbitmq.com> 2010-12-02 14:15:49 +0000
committer: Simon MacMullen <simon@rabbitmq.com> 2010-12-02 14:15:49 +0000
commit: ebdd6ea17b769b99b1d6d2a9eea0f71f7e9d6e51 (patch)
tree: 4eedda2730b1be5311f09f87672a25422f5111a6
parent: 73203e46c5e194b9c60dc3f47dfc9a3c36cd7dd4 (diff)
download: rabbitmq-server-ebdd6ea17b769b99b1d6d2a9eea0f71f7e9d6e51.tar.gz
1 files changed, 10 insertions, 3 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl
index bc588013..cefe345c 100644
--- a/src/rabbit_access_control.erl
+++ b/src/rabbit_access_control.erl
@@ -103,9 +103,16 @@
 %% SASL PLAIN, as used by the Qpid Java client and our clients. Also,
 %% apparently, by OpenAMQ.
 check_login(<<"PLAIN">>, Response) ->
-    [User, Pass] = [list_to_binary(T) ||
-                       T <- string:tokens(binary_to_list(Response), [0])],
-    user_pass_login(User, Pass);
+    case re:run(Response, "\\0([^\\0]*)", [{capture, all_but_first, binary},
+                                           global]) of
+        {match, [[User],[Pass]]} ->
+            user_pass_login(User, Pass);
+        _ ->
+            rabbit_misc:protocol_error(
+              access_refused, "login refused, response '~p' invalid",
+              [Response])
+    end;
+
 %% AMQPLAIN, as used by Qpid Python test suite. The 0-8 spec actually
 %% defines this as PLAIN, but in 0-9 that definition is gone, instead
 %% referring generically to "SASL security mechanism", i.e. the above.
author	Simon MacMullen <simon@rabbitmq.com>	2010-12-02 14:15:49 +0000
committer	Simon MacMullen <simon@rabbitmq.com>	2010-12-02 14:15:49 +0000
commit	ebdd6ea17b769b99b1d6d2a9eea0f71f7e9d6e51 (patch)
tree	4eedda2730b1be5311f09f87672a25422f5111a6
parent	73203e46c5e194b9c60dc3f47dfc9a3c36cd7dd4 (diff)
download	rabbitmq-server-ebdd6ea17b769b99b1d6d2a9eea0f71f7e9d6e51.tar.gz