Re: [Standards] length of disco attributes

On Wed, Sep 23, 2009 at 5:43 PM, Waqas Hussain wrote: > That hack slightly reduces the attack surface, but does not eliminate it. If > any of the element's attributes have a '/' in them, they are > open to attack despite the dummy feature. The thread on the security ML > talks about several rela

Re: [Standards] length of disco attributes

On Wed, Sep 23, 2009 at 8:23 PM, Fabio Forno wrote: > AFAIK, since features must be sorted, the only thing you can replace > with an identity is the first feature with the last identity. If we > insert a dummy feature or identity between them the problem could be > avoided (besides possible impl

Re: [Standards] length of disco attributes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/23/09 8:05 AM, Waqas Hussain wrote: > Sure, but I see no point in implementations actually _failing_ on > receiving them. If my code works correctly with valid implementations, > and my code can also work with some broken implementations, I don't

Re: [Standards] length of disco attributes

On Wed, Sep 23, 2009 at 3:40 PM, Waqas Hussain wrote: > Quoting from one of my messages on the security list: >    > can still be replaced by >    name='muc'/> > which can be replaced by >    name='muc'/> > Therefore, the security benefit of requiring minimum lengths is > questionable. AFAIK, sin

Re: [Standards] length of disco attributes

On Wed, Sep 23, 2009 at 6:45 PM, Peter Saint-Andre wrote: > Primarily, zero-length categories and types are useless in service > discovery. So I think that we need to change the disco spec itself > anyway. I am *not* saying that this modification would fix all security > problems in XEP-0115. Th

Re: [Standards] length of disco attributes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/23/09 7:40 AM, Waqas Hussain wrote: > On Wed, Sep 23, 2009 at 3:04 AM, Peter Saint-Andre > wrote: > > XEP-0030 allows the 'category' and 'type' attributes to have any length, > including zero. This opens the door to ce

Re: [Standards] length of disco attributes

On Wed, Sep 23, 2009 at 3:04 AM, Peter Saint-Andre wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > XEP-0030 allows the 'category' and 'type' attributes to have any length, > including zero. This opens the door to certain attacks in entity > capabilities (see the recent discussion on t

Re: [Standards] length of disco attributes

On Sep 22, 2009, at 3:04 PM, Peter Saint-Andre wrote: XEP-0030 allows the 'category' and 'type' attributes to have any length, including zero. This opens the door to certain attacks in entity capabilities (see the recent discussion on the secur...@xmpp.org list) and in any case I think it is n

[Standards] length of disco attributes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 XEP-0030 allows the 'category' and 'type' attributes to have any length, including zero. This opens the door to certain attacks in entity capabilities (see the recent discussion on the secur...@xmpp.org list) and in any case I think it is not a good id