Re: [Security] [jdev] Spoofing of iq ids and misbehaving servers

[Florian Zeitz]

On 02.02.2014 11:39, Alexander Holler wrote:
> Am 02.02.2014 09:23, schrieb Waqas Hussain:
> 
>>
>> Using the server's hostname in this case is still a bug though.
>> RFC3920 was vague, but RFC6120 is quite clear on this. Even before
>> 6120's publication this was the consensus (which led to 6120
>> clarifying it).
>>
>> In a c2s connection, the default address of the 'c' side is the
>> connection's full JID, while of the 's' side is the user's bare JID.
> 
> No. for me, and as it looks, some other server authors, the obvious
> content of a missing 'to' is the direct communcation partner to which
> the stanza is send to.
> 
> If you have a c2s connection and the client sends a stanza without 'to'
> (client -> server), it is for sure not obvious that the client itself is
> the what the missing 'to' should be.
> 
> And if you change the RFC, you can't blame servers as the changed RFC
> made them non-compliant.
> 
Okay, I don't blame you. Now go *update* your server to the current
version of the RFC, which has been out for quite some time.
Your complaints about this clarification in the RFC is really more than
just a bit late.