On 30 jan. 2014, at 16:36, Alexander Holler <[email protected]> wrote:
> Am 30.01.2014 13:49, schrieb Thijs Alkemade:
>
>
>> Then we have Facebook. All replies to iqs without 'to' have
>> from='chat.facebook.com':
>>
>> C: <iq type='get' id='purple3a6232a6'><ping xmlns='urn:xmpp:ping'/></iq>
>> S: <iq from='chat.facebook.com' id='purple3a6232a6' type='result'/>
>>
>> jabber.org itself shows a similar problem:
>>
>> C: <iq type='set' id='purplec5ae5254'>
>> <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
>> </iq>
>> S: <iq from='jabber.org' type='result' id='purplec5ae5254'/>
>>
>
> I would say that is correct (and I do the same in my server). No 'to' means
> the target ('to') is the server.
>
> Unfortunately, CVE-2013-6483 still isn't public, so I wonder what the problem
> is when a non-existing 'to' will be replaced by a 'to' with the servers jid
> (usually just the domain). If I read the Pidgin Security Advisory correctly,
> some servers do forward iq-replies which do contain a 'from' of the server,
> which is the real problem. So those failing servers do seem to miss a check
> for the validity of the 'from'.
>
> But replying to an iq without a 'to' with an iq with a 'from' of the server
> is imho correct.
>
> Regards,
>
> Alexander Holler
No, that’s wrong. http://xmpp.org/rfcs/rfc6120.html#rules-noto-IQ:
"If the server receives an IQ stanza with no 'to' attribute, it MUST process
the stanza on behalf of the account from which received the stanza, ... by
returning an appropriate IQ stanza of type "result" or "error", responding as
if the server were the bare JID of the sending entity."
Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
