[jdev] Spoofing of iq ids and misbehaving servers
Mark Doliner
mark at kingant.net
Fri Jan 31 08:26:01 UTC 2014
(My apologies if this email doesn't thread correctly -- I was not
previously subscribed to this mailing list.)
THE SPEC
In addition to the aforementioned paragraph from section 10.3.3
[footnote #1], section 8.1.2.1 [footnote #2] also talks about the from
attribute.
SERVER BEHAVIOR
It's not clear to me how servers are supposed to behave. Depending on
the circumstances it seems like servers are allowed to:
- Not set 'from' at all
- Set 'from' to the server's bare JID
- Set 'from' to the user's bare JID
In a server generated IQ reply it seems like it's never acceptable to
set 'from' to the user's full JID. Thijs mentioned that he thought
iChat server (unknown version) and ejabberd (probably 2.1.10) do this.
That seems wrong to me.
CLIENT BEHAVIOR
I think clients can perform checking to guard against spoofed IQ
replies and still be compatible with the various server behaviors.
I think clients should treat the IQ reply as a valid match if:
- request 'to' matches reply 'from'
- or request 'to' is unset and:
- reply 'from' is unset
- or reply 'from' is server bare jid
- or reply 'from' is my user bare jid
- or reply 'from' is my user full jid
I think this is sufficient because if request 'to' is unset then we
know the request must be handled by our server, and if reply 'from' is
[ unset or server bare jid or my jid ] then we know the reply came
from our server, and that's good enough.
I made this change to Pidgin [footnote #3].
[1] http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ
[2] http://xmpp.org/rfcs/rfc6120.html#stanzas-attributes-from-c2s
[3] https://hg.pidgin.im/pidgin/main/rev/b8e2a5fbffd3
More information about the JDev
mailing list