On Wed, Jul 15, 2009 at 11:51 PM, Peter Saint-Andre<stpe...@stpeter.im> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 7/15/09 4:44 PM, Fabio Forno wrote: >> On Thu, Jul 16, 2009 at 12:38 AM, Peter Saint-Andre<stpe...@stpeter.im> >> wrote: >>> It's not clear how many server codebases follow RFC 3921 about blocking >>> jabber:iq:roster packets, but if we're going to remove that restriction >>> (it seems we have consensus) then start filing bug reports and feature >>> requests with your favorite server codebases and I would bet they will >>> fix this before draft-ietf-xmpp-3921bis becomes an RFC. :) >> >> What about clients that don't check the from, which is legit since >> they trust the server? For them we introduce a temporary security >> issue > > Good point. Hmm. Maybe we need urn:xmpp:roster after all... >
Please no :) Broken clients get what they deserve. Here is RFC3921: [[For added safety, a client SHOULD check the "from" address of a "roster push" (incoming IQ of type "set" containing a roster item) to ensure that it is from a trusted source; specifically, the stanza MUST either have no 'from' attribute (i.e., implicitly from the server) or have a 'from' attribute whose value matches the user's bare JID (of the form <u...@domain>) or full JID (of the form <u...@domain/resource>); otherwise, the client SHOULD ignore the "roster push".]] and 3921bis: [[A receiving client MUST ignore the stanza unless it has no 'from' attribute (i.e., implicitly from the user's bare JID) or it has a 'from' attribute whose value matches the user's bare JID <u...@domain>.]] I think any client which doesn't obey this is inherently insecure already and should be fixed now, regardless of whether this proposed change goes ahead. For the reasons I stated on the XMPP list I don't have any desire for servers to vet stanzas a client receives to its full JID (privacy lists aside). Matthew (worried he is starting to sound like Dave :) )
