[JDEV] Re: jabber; what would you like to see?

[Richard Dobson]

----- Original Message ----- 
From: "Ulrich B. Staudinger" <us at die-horde.de>
To: <jdev at jabber.org>
Sent: Thursday, September 25, 2003 2:05 PM
Subject: Re: [JDEV] Re: jabber; what would you like to see?


> Richard Dobson wrote:
>
> >>What I picture is that one could have a scripting languague within the
> >>packets, for example:
> >>
> >><iq type="get">
> >><query xmlns="bla bla">
> >><script>
> >>@users=fetchroster(1,2,3);
> >>for ($i=0; $i<$@#users) {
> >>   echo "<message to=@user[$i]> In my new roster bla bla ";
> >>}
> >>createrostergroup(@users, "newrostergroup");
> >>return @users;
> >></script>
> >></query>
> >></iq>
> >>
> >>
> >
> >Sorry but to me anyone doing something like this should be shot, having
> >scripting send inside packets to be processed by the endpoint like this
is a
> >security hole of an enormous magnetude, and we definately should not be
> >doing anything like this. This is kind of like word macros, it can have
some
> >benefits but the potential for abuse is massive, it would require all
sorts
> >of extra security stuff to even attempt to secure it. Overall I think the
> >downsides are far more than the benefit of the convenience, the best
thing
> >is to continue doing what we have been doing and creating protocols for
set
> >purposes. We don't need the flexibility of a scripting system as we
already
> >have the flexibility/extensibility of XML and the jabber protocol to do
> >things like this without creating massive security holes.
> >
> Maybe not shot - only dipped into cold coffee for more than an hour ...
> +1 - absolutely not supportable from my side.

Yea sorry, "... should be shot" is a common saying over here in the UK
meaning that something someone has done is very bad/silly, its a tongue in
cheek thing.

Richard