From c788e1599d6878e447f237d675e7341f5fbc1245 Mon Sep 17 00:00:00 2001
From: dequis <dx@dxzone.com.ar>
Date: Mon, 5 Oct 2015 01:20:07 -0300
Subject: The SASL PLAIN RFC says that the first part can be empty

So use the second part as the username, and only require it to be equal
to the first part if that one is present.

ABNF from the spec:

    message   = [authzid] UTF8NUL authcid UTF8NUL passwd

Note brackets.

Authzid (authorization identity) is meant for impersonation, which we
don't support. The actual login username is defined by authcid
(authentication identity)

Thanks grawity for pointing this out.
---
 irc_commands.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'irc_commands.c')

diff --git a/irc_commands.c b/irc_commands.c
index aa0ecb73..4e2a2c64 100644
--- a/irc_commands.c
+++ b/irc_commands.c
@@ -79,11 +79,11 @@ static gboolean irc_sasl_plain_parse(char *input, char **user, char **pass)
 	}
 
 	/* sanity checks */
-	if (part != 3 || i != (len + 1) || strcmp(parts[0], parts[1]) != 0) {
+	if (part != 3 || i != (len + 1) || (parts[0][0] && strcmp(parts[0], parts[1]) != 0)) {
 		g_free(decoded);
 		return FALSE;
 	} else {
-		*user = g_strdup(parts[0]);
+		*user = g_strdup(parts[1]);
 		*pass = g_strdup(parts[2]);
 		g_free(decoded);
 		return TRUE;
-- 
cgit v1.2.3