On Wed, Sep 23, 2009 at 6:45 PM, Peter Saint-Andre <stpe...@stpeter.im>wrote:
> Primarily, zero-length categories and types are useless in service > discovery. So I think that we need to change the disco spec itself > anyway. I am *not* saying that this modification would fix all security > problems in XEP-0115. That's fine then. > > In its current form, the hashing function always succeeds for any given > > non-null input. This is desirable because it simplifies implementations, > > and is exactly the same as popular hashing functions (MD5, SHA, etc). > > Specifying minimum lengths is fine, but is there a reason for receiving > > implementations to actually enforce these limits? > > Because zero-length categories and types are useless. Sure, but I see no point in implementations actually _failing_ on receiving them. If my code works correctly with valid implementations, and my code can also work with some broken implementations, I don't see much reason to add extra validation code just to stop working with broken implementations (unless Prosody is running in strict mode of course ;) ). > > The caps algorithm in XEP-0115 actually talks about missing 'type' > > attributes. This ought to be fixed. > > That's a spec bug in XEP-0115, because 'type' is a MUST in XEP-0030. > > Peter > -- Waqas Hussain