-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/15/09 5:55 PM, Matthew Wild wrote: > On Wed, Jul 15, 2009 at 11:51 PM, Peter Saint-Andre<stpe...@stpeter.im> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 7/15/09 4:44 PM, Fabio Forno wrote: >>> On Thu, Jul 16, 2009 at 12:38 AM, Peter Saint-Andre<stpe...@stpeter.im> >>> wrote: >>>> It's not clear how many server codebases follow RFC 3921 about blocking >>>> jabber:iq:roster packets, but if we're going to remove that restriction >>>> (it seems we have consensus) then start filing bug reports and feature >>>> requests with your favorite server codebases and I would bet they will >>>> fix this before draft-ietf-xmpp-3921bis becomes an RFC. :) >>> What about clients that don't check the from, which is legit since >>> they trust the server? For them we introduce a temporary security >>> issue >> Good point. Hmm. Maybe we need urn:xmpp:roster after all... >> > > Please no :)
Just to clarify, I meant for shared groups only, not traditional rosters. > Broken clients get what they deserve. Here is RFC3921: > > [[For added safety, a client SHOULD check the "from" address of a > "roster push" (incoming IQ of type "set" containing a roster item) to > ensure that it is from a trusted source; specifically, the stanza MUST > either have no 'from' attribute (i.e., implicitly from the server) or > have a 'from' attribute whose value matches the user's bare JID (of > the form <u...@domain>) or full JID (of the form > <u...@domain/resource>); otherwise, the client SHOULD ignore the > "roster push".]] > > and 3921bis: > > [[A receiving client MUST ignore the stanza unless it has no 'from' > attribute (i.e., implicitly from the user's bare JID) or it has a > 'from' attribute whose value matches the user's bare JID > <u...@domain>.]] So we'd need to modify that MUST to say something about accepting roster information only from trusted entities (in the traditional model the only trusted entity was yourself, but in the "modern" model that we're discussing you might trust a shared group service). > I think any client which doesn't obey this is inherently insecure > already and should be fixed now, regardless of whether this proposed > change goes ahead. For the reasons I stated on the XMPP list I don't > have any desire for servers to vet stanzas a client receives to its > full JID (privacy lists aside). Agreed. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpeiWQACgkQNL8k5A2w/vx1cACfZlv3XwYk01/t4uSRnV098zZU 4EMAoJID00qR2PhLIUl4JqbFuDa93qw4 =fyDZ -----END PGP SIGNATURE-----
