[jdev] Checking the from of iq replies
Lars Noschinski
lars at public.noschinski.de
Tue Mar 4 10:12:42 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everyone,
I am working on implementing better checks against spoofed iq-replies in
Smack. I want to avoid the pitfalls other projects fell into, so I
looked at Pidgin, Psi and PyXMPP to find the most sensible behaviour.
I'm detailing my findings here, maybe they are helpful for somebody.
The following table shows the IQ-replies accepted by P(i)dgin[1], P(s)i
(Task::iqVerify) and P(y)XMPP.
From\to| e | l | bl | dl+s | o
-------+-----+-----+-----+------+-----
e | isy | | | s |
l | isy | isy | s | s |
bl | isy | s | isy | s |
dl+s | isy | s | s | isy |
o | | | | | isy
Legend
e: empty
l: local (client) jid
bl: bare local jid
dl: domainpart of local jid
s: server jid
o: other jid
Pidgin and PyXMPP behave very similar, while Psi is more lenient in the
answers it allows. Unfortunately, the repository history sheds no light
on whether this lenient behaviour was introduced to cope with real
problems.
Best regards,
Lars
[1] <https://hg.pidgin.im/pidgin/main/rev/b8e2a5fbffd3>
[2]
<https://github.com/psi-im/iris/blob/master/src/xmpp/xmpp-im/xmpp_task.cpp>,
Task::iqVerify
[3]
<https://github.com/Jajcus/pyxmpp/blob/master/pyxmpp/stanzaprocessor.py>,
process_iq
[4] http://xmpp.org/rfcs/rfc6120.html#stanzas-attributes-from
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQEcBAEBAgAGBQJTFacaAAoJEOUX5T7UhMS6C0MH/R8kx7y7fwuYp68RUhTnY++3
wuDenZlkFdyhVu1Pb5/TRB4YE7KpxgK5h65G3M2Sf0ciHJY6Onxikyvr3jANVkox
O1ZGjbVkvSEAHtaq7eavae1VuSpLO7muKS3k1sbtax53DybRwWniTXzU/7BITJDP
Q7T1hM4IGIrk7ckkFpKC2lfFGk4NsjPtHa2B13vmizJ3yWB0xVOjzWrwZhweWGsR
1z6i63aALQW5ogN3JOV3LM0c3fx2nzfRgCiMin6HQU9xlQJIBqQW9ycBEyKxbd4r
LSJ7peIc523WdkHRz2UhzxJaKlOvyPdDIjl0LX+KdqE/Cs28zFd1NkkKIUzrGOw=
=8rGi
-----END PGP SIGNATURE-----
More information about the JDev
mailing list