[JDEV] Re: jabber; what would you like to see?
Ulrich B. Staudinger
us at die-horde.de
Thu Sep 25 08:05:22 CDT 2003
Richard Dobson wrote:
>>What I picture is that one could have a scripting languague within the
>>packets, for example:
>>
>><iq type="get">
>><query xmlns="bla bla">
>><script>
>>@users=fetchroster(1,2,3);
>>for ($i=0; $i<$@#users) {
>> echo "<message to=@user[$i]> In my new roster bla bla ";
>>}
>>createrostergroup(@users, "newrostergroup");
>>return @users;
>></script>
>></query>
>></iq>
>>
>>
>
>Sorry but to me anyone doing something like this should be shot, having
>scripting send inside packets to be processed by the endpoint like this is a
>security hole of an enormous magnetude, and we definately should not be
>doing anything like this. This is kind of like word macros, it can have some
>benefits but the potential for abuse is massive, it would require all sorts
>of extra security stuff to even attempt to secure it. Overall I think the
>downsides are far more than the benefit of the convenience, the best thing
>is to continue doing what we have been doing and creating protocols for set
>purposes. We don't need the flexibility of a scripting system as we already
>have the flexibility/extensibility of XML and the jabber protocol to do
>things like this without creating massive security holes.
>
Maybe not shot - only dipped into cold coffee for more than an hour ...
+1 - absolutely not supportable from my side.
>
>Richard
>
>_______________________________________________
>jdev mailing list
>jdev at jabber.org
>http://mailman.jabber.org/listinfo/jdev
>
>
>
--
Ulrich B. Staudinger
http://www.die-horde.de
email: us at die-horde.de
jid: uls at jabber.org
current project: REDHORN
http://redhorn.sourceforge.net
Blog: http://jabber.linux.it/jogger/user.php?jid=uls@jabber.org
More information about the JDev
mailing list