[jdev] Spoofing of iq ids and misbehaving servers

Alexander Holler holler at ahsoftware.de
Fri Jan 31 10:51:18 UTC 2014 

Am 31.01.2014 09:26, schrieb Mark Doliner:
> (My apologies if this email doesn't thread correctly -- I was not
> previously subscribed to this mailing list.)
>
> THE SPEC
> In addition to the aforementioned paragraph from section 10.3.3
> [footnote #1], section 8.1.2.1 [footnote #2] also talks about the from
> attribute.
>
> SERVER BEHAVIOR
> It's not clear to me how servers are supposed to behave. Depending on
> the circumstances it seems like servers are allowed to:
> - Not set 'from' at all
> - Set 'from' to the server's bare JID
> - Set 'from' to the user's bare JID
>
> In a server generated IQ reply it seems like it's never acceptable to
> set 'from' to the user's full JID. Thijs mentioned that he thought
> iChat server (unknown version) and ejabberd (probably 2.1.10) do this.
> That seems wrong to me.
>
> CLIENT BEHAVIOR
> I think clients can perform checking to guard against spoofed IQ
> replies and still be compatible with the various server behaviors.
>
> I think clients should treat the IQ reply as a valid match if:
> - request 'to' matches reply 'from'
> - or request 'to' is unset and:
>      - reply 'from' is unset
>      - or reply 'from' is server bare jid
>      - or reply 'from' is my user bare jid
>      - or reply 'from' is my user full jid
>
> I think this is sufficient because if request 'to' is unset then we
> know the request must be handled by our server, and if reply 'from' is
> [ unset or server bare jid or my jid ] then we know the reply came
> from our server, and that's good enough.
>
> I made this change to Pidgin [footnote #3].
>
> [1] http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ
> [2] http://xmpp.org/rfcs/rfc6120.html#stanzas-attributes-from-c2s
> [3] https://hg.pidgin.im/pidgin/main/rev/b8e2a5fbffd3

In general the reply should always have 'to' and 'from' exchanged. I 
think any server which doesn't do so, does something wrong.

Where the confusion starts is what servers do use as 'to' for an 
incoming stanza which contains no 'to'. As already said, I and some 
other servers do use the servers JID (usually the domain where the 
client connected to) as 'to', based on the fact that rfc 3920 wasn't 
clear about that.

Regards,

Alexander Holler

More information about the JDev mailing list