<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On 30 jan. 2014, at 16:36, Alexander Holler <<a href="mailto:holler@ahsoftware.de">holler@ahsoftware.de</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Am 30.01.2014 13:49, schrieb Thijs Alkemade:<br><br><br><blockquote type="cite">Then we have Facebook. All replies to iqs without 'to' have<br>from='<a href="http://chat.facebook.com">chat.facebook.com</a>':<br><br>C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq><br>S: <iq from='<a href="http://chat.facebook.com">chat.facebook.com</a>' id='purple3a6232a6' type='result'/><br><br><a href="http://jabber.org">jabber.org</a> itself shows a similar problem:<br><br>C: <iq type='set' id='purplec5ae5254'><br> <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/><br> </iq><br>S: <iq from='<a href="http://jabber.org">jabber.org</a>' type='result' id='purplec5ae5254'/><br><br></blockquote><br>I would say that is correct (and I do the same in my server). No 'to' means the target ('to') is the server.<br><br>Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the problem is when a non-existing 'to' will be replaced by a 'to' with the servers jid (usually just the domain). If I read the Pidgin Security Advisory correctly, some servers do forward iq-replies which do contain a 'from' of the server, which is the real problem. So those failing servers do seem to miss a check for the validity of the 'from'.<br><br>But replying to an iq without a 'to' with an iq with a 'from' of the server is imho correct.<br><br>Regards,<br><br>Alexander Holler<br></blockquote><br></div><div>No, that’s wrong. <a href="http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ:">http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ:</a><br><br>"If the server receives an IQ stanza with no 'to' attribute, it MUST process<br>the stanza on behalf of the account from which received the stanza, ... by<br>returning an appropriate IQ stanza of type "result" or "error", responding as<br>if the server were the bare JID of the sending entity."<br><br>Thijs</div><br></body></html>