From ee0ecd241926b9720c42954f1e978fd54f771a59 Mon Sep 17 00:00:00 2001
From: Holger Weiss <holger@zedat.fu-berlin.de>
Date: Mon, 10 Nov 2014 01:10:04 +0100
Subject: New option: disable_sasl_mechanisms

The new "disable_sasl_mechanisms" option allows for restricting the list
of SASL mechanisms offered to the client.

Closes #339.
---
 src/cyrsasl.erl | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/cyrsasl.erl b/src/cyrsasl.erl
index f404a7afb..db2160ca9 100644
--- a/src/cyrsasl.erl
+++ b/src/cyrsasl.erl
@@ -93,9 +93,15 @@ start() ->
 ).
 
 register_mechanism(Mechanism, Module, PasswordType) ->
-    ets:insert(sasl_mechanism,
-	       #sasl_mechanism{mechanism = Mechanism, module = Module,
-			       password_type = PasswordType}).
+    case is_disabled(Mechanism) of
+      false ->
+	  ets:insert(sasl_mechanism,
+		     #sasl_mechanism{mechanism = Mechanism, module = Module,
+				     password_type = PasswordType});
+      true ->
+	  ?DEBUG("SASL mechanism ~p is disabled", [Mechanism]),
+	  true
+    end.
 
 %%% TODO: use callbacks
 %%-include("ejabberd.hrl").
@@ -215,3 +221,19 @@ filter_anonymous(Host, Mechs) ->
       true  -> Mechs;
       false -> Mechs -- [<<"ANONYMOUS">>]
     end.
+
+-spec(is_disabled/1 ::
+(
+  Mechanism :: mechanism())
+    -> boolean()
+).
+
+is_disabled(Mechanism) ->
+    Disabled = ejabberd_config:get_option(
+		 disable_sasl_mechanisms,
+		 fun(V) when is_list(V) ->
+			 lists:map(fun(M) -> str:to_upper(M) end, V);
+		    (V) ->
+			 [str:to_upper(V)]
+		 end, []),
+    lists:member(Mechanism, Disabled).
-- 
cgit v1.2.3