Sat, 15 Nov 2008 19:12:05 +0100
Adding some TODO for some security issue.
plugins/mod_saslauth.lua | file | annotate | diff | comparison | revisions |
--- a/plugins/mod_saslauth.lua Sat Nov 15 13:47:17 2008 +0100 +++ b/plugins/mod_saslauth.lua Sat Nov 15 19:12:05 2008 +0100 @@ -115,6 +115,7 @@ function (session, features) if not session.username then t_insert(features, "<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>"); + -- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so. t_insert(features, "<mechanism>PLAIN</mechanism>"); t_insert(features, "<mechanism>DIGEST-MD5</mechanism>"); t_insert(features, "</mechanisms>");