Re: [JDEV] Re: jabber; what would you like to see?

Thu, 25 Sep 2003 05:48:25 -0700

Richard Dobson wrote:

----- Original Message ----- From: "Ulrich B. Staudinger" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 25, 2003 2:05 PM
Subject: Re: [JDEV] Re: jabber; what would you like to see?




Richard Dobson wrote:



What I picture is that one could have a scripting languague within the
packets, for example:

<iq type="get">
<query xmlns="bla bla">
<script>
@users=fetchroster(1,2,3);
for ($i=0; $i<[EMAIL PROTECTED]) {
 echo "<message [EMAIL PROTECTED]> In my new roster bla bla ";
}
createrostergroup(@users, "newrostergroup");
return @users;
</script>
</query>
</iq>




Sorry but to me anyone doing something like this should be shot, having
scripting send inside packets to be processed by the endpoint like this


is a


security hole of an enormous magnetude, and we definately should not be
doing anything like this. This is kind of like word macros, it can have


some


benefits but the potential for abuse is massive, it would require all


sorts


of extra security stuff to even attempt to secure it. Overall I think the
downsides are far more than the benefit of the convenience, the best


thing


is to continue doing what we have been doing and creating protocols for


set


purposes. We don't need the flexibility of a scripting system as we


already


have the flexibility/extensibility of XML and the jabber protocol to do
things like this without creating massive security holes.



Maybe not shot - only dipped into cold coffee for more than an hour ...
+1 - absolutely not supportable from my side.



Yea sorry, "... should be shot" is a common saying over here in the UK
meaning that something someone has done is very bad/silly, its a tongue in
cheek thing.

i guess i should get familiar with all those sayings ... tongue in cheek? now what's this, where should i put my tongue? :-)

np

ulrich


Richard

_______________________________________________
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev





--
Ulrich B. Staudinger
http://www.die-horde.de
email: [EMAIL PROTECTED]
jid: [EMAIL PROTECTED]

current project: REDHORN
http://redhorn.sourceforge.net

Blog: http://jabber.linux.it/jogger/[EMAIL PROTECTED]


_______________________________________________
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Reply via email to