From: Ken Hornstein Date: Fri, 23 Sep 2016 17:59:52 +0000 (-0400) Subject: Don't always output a decoded SASL token; if it's a large binary blob, just X-Git-Url: https://diplodocus.org/git/nmh/commitdiff_plain/0e8670d5ff9bfdbfe97364ac97fc1cd8e8e66117?hp=-c Don't always output a decoded SASL token; if it's a large binary blob, just stick with the base64 output. --- 0e8670d5ff9bfdbfe97364ac97fc1cd8e8e66117 diff --git a/sbr/netsec.c b/sbr/netsec.c index f6217c1d..7d5c48c8 100644 --- a/sbr/netsec.c +++ b/sbr/netsec.c @@ -99,6 +99,12 @@ struct _netsec_context { static int netsec_fillread(netsec_context *ns_context, char **errstr); +/* + * Code to check the ASCII content of a byte array. + */ + +static int checkascii(const unsigned char *byte, size_t len); + /* * How this code works, in general. * @@ -303,16 +309,48 @@ netsec_b64_snoop_decoder(netsec_context *nsc, const char *string, size_t len, } if (decodeBase64(string, &decoded, &decodedlen, 1, NULL) == OK) { - char *hexified; - hexify((const unsigned char *) decoded, decodedlen, &hexified); - fprintf(stderr, "b64<%s>\n", hexified); - free(hexified); - free((char *) decoded); + /* + * Some mechanisms preoduce large binary tokens, which aren't really + * readable. So let's do a simple heuristic. If the token is greater + * than 100 characters _and_ the first 100 bytes are more than 50% + * non-ASCII, then don't print the decoded buffer, just the + * base64 text. + */ + if (decodedlen > 100 && !checkascii(decoded, 100)) { + fprintf(stderr, "%.*s\n", (int) len, string); + } else { + char *hexified; + hexify(decoded, decodedlen, &hexified); + fprintf(stderr, "b64<%s>\n", hexified); + free(hexified); + } + free(decoded); } else { fprintf(stderr, "%.*s\n", (int) len, string); } } +/* + * If the ASCII content is > 50%, return 1 + */ + +static int +checkascii(const unsigned char *bytes, size_t len) +{ + size_t count = 0, half = len / 2; + + while (len-- > 0) { + if (isascii(*bytes) && isprint(*bytes) && ++count > half) + return 1; + bytes++; + /* No chance by this point */ + if (count + len < half) + return 0; + } + + return 0; +} + /* * Set the read timeout for this connection */