Am 30.01.2014 13:49, schrieb Thijs Alkemade:
Then we have Facebook. All replies to iqs without 'to' have
from='chat.facebook.com':
C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq>
S: <iq from='chat.facebook.com' id='purple3a6232a6' type='result'/>
jabber.org itself shows a similar problem:
C: <iq type='set' id='purplec5ae5254'>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
</iq>
S: <iq from='jabber.org' type='result' id='purplec5ae5254'/>
I would say that is correct (and I do the same in my server). No 'to'
means the target ('to') is the server.
Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the
problem is when a non-existing 'to' will be replaced by a 'to' with the
servers jid (usually just the domain). If I read the Pidgin Security
Advisory correctly, some servers do forward iq-replies which do contain
a 'from' of the server, which is the real problem. So those failing
servers do seem to miss a check for the validity of the 'from'.
But replying to an iq without a 'to' with an iq with a 'from' of the
server is imho correct.
Regards,
Alexander Holler
_______________________________________________
JDev mailing list
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________
