-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/23/09 7:40 AM, Waqas Hussain wrote: > On Wed, Sep 23, 2009 at 3:04 AM, Peter Saint-Andre <[email protected] > <mailto:[email protected]>> wrote: > > XEP-0030 allows the 'category' and 'type' attributes to have any length, > including zero. This opens the door to certain attacks in entity > capabilities (see the recent discussion on the [email protected] > <mailto:[email protected]> list) > and in any case I think it is not a good idea (is there any meaning to a > zero-length category or type?). Also, we need to harmonize the 'jid' > attribute in disco with rfc3920bis. I propose the following: > > 1. 'category' shall have a minimum length of 1 > > 2. 'type' shall have a minimum length of 1 > > 3. 'jid' shall be a length between 1 and 3071 (see 3920bis) > > Peter >
> Quoting from one of my messages on the security list: > <feature var='http://jabber.org/protocol/muc'/ > <http://jabber.org/protocol/muc'/>> > can still be replaced by > <identity category='http:' type='/jabber.org <http://jabber.org>' > xml:lang='protocol' name='muc'/> > which can be replaced by > <identity category='http:/' type='jabber.org <http://jabber.org>' > xml:lang='protocol' name='muc'/> > Therefore, the security benefit of requiring minimum lengths is > questionable. Primarily, zero-length categories and types are useless in service discovery. So I think that we need to change the disco spec itself anyway. I am *not* saying that this modification would fix all security problems in XEP-0115. > In its current form, the hashing function always succeeds for any given > non-null input. This is desirable because it simplifies implementations, > and is exactly the same as popular hashing functions (MD5, SHA, etc). > Specifying minimum lengths is fine, but is there a reason for receiving > implementations to actually enforce these limits? Because zero-length categories and types are useless. > The caps algorithm in XEP-0115 actually talks about missing 'type' > attributes. This ought to be fixed. That's a spec bug in XEP-0115, because 'type' is a MUST in XEP-0030. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq6JoIACgkQNL8k5A2w/vwFjwCeO+j8Y0oZjoSqWDWMTfJtHoxs 5a8An2zDONlWfAMyU4GYtwEh41diU9z3 =vUSV -----END PGP SIGNATURE-----
