On Sun, Feb 2, 2014 at 1:33 AM, Alexander Holler <[email protected]> wrote: > Am 02.02.2014 02:30, schrieb Mark Doliner: >> On Sat, Feb 1, 2014 at 5:20 PM, Alexander Holler <[email protected]> >> wrote: >>> Am 01.02.2014 20:41, schrieb Mark Doliner: >>>> On Sat, Feb 1, 2014 at 11:20 AM, Alexander Holler <[email protected]> >>>> wrote: >>>>> Thijs Alkemade didn't wrote that an already broken server is necessary to >>>>> explore or do something malicious with "delaying" replies or whatever. >>>> >>>> An already broken server is NOT necessary. The IQ from malicious user >>>> to target user might look like this: >>>> <iq to="[email protected]/Resource" id="someid123" type="result"> >>>> <query xmlns="jabber:iq:roster"> >>>> <item jid="[email protected]" subscription="both" /> >>>> </query> >>>> </iq> >>> >>> This is would end up as a reply from the one who send that stanza. So >>> already a wrong sender. If a client doesn't check that, it's as broken >>> as a server which doesn't validate the 'from' attribute. >> >> Yes, that's exactly the point of this email thread. Thijs wanted to >> raise awareness that in fact many clients DON'T check the 'from' for >> iq replies. > > Oh. Based on the subject, the non-disclosed CVE and the description I > had the impression the problem is that don't a make a difference between > 'server' or 'myself' in the 'from' attribute of replies and that this > thread was because of misbehaving servers. But not that clients don't > check the 'from' at all which is a slightly difference. >
Using the server's hostname in this case is still a bug though. RFC3920 was vague, but RFC6120 is quite clear on this. Even before 6120's publication this was the consensus (which led to 6120 clarifying it). In a c2s connection, the default address of the 'c' side is the connection's full JID, while of the 's' side is the user's bare JID. -- Waqas Hussain _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
