Re: [Standards] UPDATED: XEP-0363 (HTTP File Upload)
* XMPP Extensions Editor [2017-02-02 00:14]: > Version 0.3.0 of XEP-0363 (HTTP File Upload) has been released. from a brief reading of the XEP, it might be a good idea to add to the security consideration a sentence or two about the inclusion of new-line and other illegal characters in the name, value and the slot URLs, and how a client should handle those. There are some interesting HTTP-level attacks related to new-lines [0], and a malicious server might attempt a kind of blind scan by responding with slot URLs on the client's LAN and waiting for repeated slot requests. I'm not sure though if this secon one is a practical risk, and whether anything can be done about it. Georg [0] http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html -- || http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++ || gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ || || Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e h- r++ y? || ++ IRCnet OFTC OPN ||_|| signature.asc Description: PGP signature ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
[Standards] XMPP Council Meeting tomorrow
Folks, The XMPP Council will be holding it's first "business" meeting tomorrow at 1600 UTC. While we organise the agenda on Trello at https://trello.com/b/ww7zWMlI/xmpp-council-agenda, there's quite a few old cards, so I'm proposing dedicating some of tomorrow's meeting to having a quick check to see what's relevant and what's overtaken by events. There are also three voting items, all advancements: * Vote on moving XEP-0387 to Draft [Reboot voting from last session] * Issue Last Call for XEP-0363 for advancement to Draft. * Vote on deprecating XEP-0085 (Stream Initiation) * ... and XEP-0096 (SI File Transfer). * Trello clear-up (as much as we can in time). * AOB Meetings are normally held every Wednesday at 1600 UTC in the xmpp:coun...@muc.xmpp.org?join chatroom. Meetings are open, and anyone (XSF Member or not) may attend, though only XMPP Council members may vote. Relevant comments from the floor are welcomed. Items for the agenda may be placed in Trello and/or submitted to me. We would also welcome a volunteer to take minutes (please reply to this message if you can take this on tomorrow). Thanks, Dave. (As Council Chair). ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
[Standards] UPDATED: XEP-0373 (OpenPGP for XMPP)
Version 0.2.1 of XEP-0373 (OpenPGP for XMPP) has been released. Abstract: Specifies end-to-end encryption and authentication of data with the help of OpenPGP, announcement, discovery and retrieval of public keys and a mechanism to synchronize secret keys over multiple devices. Changelog: (see in-document revision history) URL: https://xmpp.org/extensions/xep-0373.html ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] XEP-0313: Treatment of type=groupchat in user archive with or without hint
I've been reading XEP-0313 again in an attempt to figure out how to word what you are describing and I came across »it refers to what would appear to have been stored in order to satisfy the query.« Keeping this in mind my pull request [1] is exactly what you want it to be. (Plus or minus the reference to the hint which I already offered to remove) [1]: https://github.com/xsf/xeps/pull/547 2017-11-27 18:43 GMT+01:00 Kevin Smith : > On 24 Nov 2017, at 08:23, Daniel Gultsch wrote: > > > 2017-11-23 23:45 GMT+01:00 Kevin Smith : > > > On 23 Nov 2017, at 22:18, Matthew Wild wrote: > > On 23 November 2017 at 18:33, Daniel Gultsch wrote: > > 2017-11-23 18:33 GMT+01:00 Kevin Smith : > > The main use case for having gc messages in the archive is “I remember I saw > someone say something interesting about X, so now I’m going to search my > archive for X to find it”, which really needs to have all the messages > you’ve seen available, rather than splitting them between multiple sources, > some of which won’t support MAM. > > I agree that for “catch-up”, it’s not particularly useful, but knowing > exactly what messages you’ve seen is. > > Perhaps filtering MAM queries on type would be sensible. > > > OK. I buy the arguments with future proofing for MIX and 'backup'. > > However we really need a way to exclude type=groupchat from a normal > catchup. > I see three possibilities to achieve this. > 1) Add a data form field 'exclude-groupchat' which can be set to '1' > 2) Add a multi-item form field 'exclude-types' > 3) Add a multi-item form field 'include-types' > > I think (2) is the best option here because it is more flexible than > (1) and has a better default if absent behaviour then (3) > > If other people agree I can create a PR for that XEP. > > > Though I agree with your analysis, I don't particularly like any of > these approaches. It feels like a road towards a proliferation of > filters in the XEP, which is something I would really like to avoid. > > > There’s really no reason it has to be in 313, though, same as search doesn’t > have to be. > > > > Yes. It absolutely has to be in 0313. If we decide to store what is > basically useless (not having the real jid sender), incomplete garbage > in the user archive we definitely need a way to not query it during > catch up. And that method has to be specified in the XEP as a MUST. I > don't want to gamble that every server out there will implement some > niche third party XEP. > > > I don’t think this is true. We assume that servers implement those XEPs that > are useful for their particular deployment needs. I think that specifying > option (3) outside 313 would work fine, for example, and falls back > gracefully to the default rules in 313 if we say they don’t return gc by > default. > > /K > > ___ > Standards mailing list > Info: https://mail.jabber.org/mailman/listinfo/standards > Unsubscribe: standards-unsubscr...@xmpp.org > ___ > ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___