Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SCRAM username character escape #196

Merged
merged 1 commit into from
Aug 15, 2024
Merged

Fix SCRAM username character escape #196

merged 1 commit into from
Aug 15, 2024

Conversation

debuggings
Copy link

According to rfc5802, username should escape special characters before sending to the server.

The characters ',' or '=' in usernames are sent as '=2C' and
'=3D' respectively. If the server receives a username that
contains '=' not followed by either '2C' or '3D', then the
server MUST fail the authentication.

@debuggings
fix scram username character escape
b532eb3 
According to [rfc5802](https://datatracker.ietf.org/doc/html/rfc5802), username should escape special characters before sending to the server.
> The characters ',' or '=' in usernames are sent as '=2C' and
         '=3D' respectively.  If the server receives a username that
         contains '=' not followed by either '2C' or '3D', then the
         server MUST fail the authentication.
@debuggings debuggings changed the title fix scram username character escape Fix scram username character escape Aug 14, 2024
@debuggings debuggings changed the title Fix scram username character escape Fix SCRAM username character escape Aug 14, 2024
wbarnha
wbarnha approved these changes Aug 14, 2024
View reviewed changes
Copy link
Owner

@wbarnha wbarnha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is only an issue within the context of RFC 5802, then I think this is a behavior I'm willing to accept. Since this is the only usage of self.user in scram.py, I may be making much ado about nothing with my other opinion that having such an implementation here feels awkward.

@debuggings
Copy link
Author

Thanks for your reply.

For me, escaping is a part of message preparation, just like r = and n =. Therefore, I think escaping and connecting should happen just before sending the message.

@wbarnha
Copy link
Owner

wbarnha commented Aug 15, 2024

I agree. LGTM!

@wbarnha wbarnha merged commit 9bee9fc into wbarnha:master Aug 15, 2024
21 checks passed
@debuggings
Copy link
Author

Hi @wbarnha, may I ask where can I find the release plan? Thanks in advance.

@ods ods mentioned this pull request Aug 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wbarnha wbarnha wbarnha approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@debuggings @wbarnha