[standards-jig] Version 0.5 of JEP-0045

Ryan Eatmon reatmon at jabber.org
Tue Sep 24 08:41:35 CDT 2002


I'd like to point out that fixing something that a Client is doing wrong 
is a Bad Thing TM.  It fosters the creation of sloppy Clients that will 
work with this one Component, but won't work with others.  Part of the 
reason of creating standards is so that everyone knows what to code 
against.  Set that standard correctly, and let everyone else develop 
against it.


Peter Saint-Andre wrote:

>On reflection, I think option #3 makes the most sense, but I admit that
>we're attempting to interpret the intentions of the sender (or the
>sender's client).
>
>Peter
>
>--
>Peter Saint-Andre
>Jabber Software Foundation
>http://www.jabber.org/people/stpeter.html
>
>On Tue, 24 Sep 2002, Richard Dobson wrote:
>
>  
>
>>Ah I get the point now,
>>
>>So the sender sends:
>>
>><message to='jdev at conference.jabber.org/receiver'
>>type='groupchat'><body>test</body></message>
>>
>>The receiver receives:
>>
>><message from='jdev at conference.jabber.org/sender'
>>to='receiver at jabber.org/resource'
>>type='groupchat'><body>test</body></message>
>>
>>Which seems to be from the room so the groupchat component when bouncing the
>>message should either
>>
>>1) send back an error:
>>
>><message from='jdev at conference.jabber.org/receiver'
>>to='sender at jabber.org/resource' type='error'>
>>    <body>test</body>
>>    <error code='400'>Bad request</error>
>></message>
>>
>>Problem with the error is that unless the sender specifies an id the
>>sender/client will not know necessarily what action it relates to.
>>
>>2) Or interpret it as a message to the room and just send it to all
>>participants instead of just the one.
>>
>>3) Change it to type "chat" on the way through.
>>
>>4) Ignore the message.
>>
>>Richard
>>
>>----- Original Message -----
>>From: "Peter Saint-Andre" <stpeter at jabber.org>
>>To: <standards-jig at jabber.org>
>>Sent: Tuesday, September 24, 2002 5:55 AM
>>Subject: Re: [standards-jig] Version 0.5 of JEP-0045
>>
>>
>>    
>>
>>>On Mon, 23 Sep 2002, David Sutton wrote:
>>>
>>>      
>>>
>>>>A room groupchat message takes the form:
>>>>
>>>><message from='jdev at conference.jabber.org/sender'
>>>>to='receiver at jabber.org' type='groupchat'><body>test</body></message>
>>>>        
>>>>
>>>Actually there is a resource on the 'to' address, no? We need to
>>>differentiate between what the sending client sends and what the receiving
>>>client receives.
>>>
>>>The sender sends:
>>>
>>><message to='jdev at conference.jabber.org'
>>>type='groupchat'><body>test</body></message>
>>>
>>>The receiver receives:
>>>
>>><message from='jdev at conference.jabber.org/sender'
>>>to='receiver at jabber.org/resource'
>>>type='groupchat'><body>test</body></message>
>>>
>>>      
>>>
>>>>If I send a message through the conference server to a user, and set the
>>>>type to be groupchat, then the client receives exactly the same message.
>>>>You just don't know if it was announced to the room, or whether it was
>>>>directed. This could make unsuspected people to start making comments in
>>>>response to messages they believed everyone in the room also saw. The
>>>>sender just turns around and says that they never sent anything, and the
>>>>room logs would prove that point.
>>>>
>>>>Its an exploit in the sense of social engineering. Its easily stopped by
>>>>rejecting any messages received with type 'groupchat' and a resource in
>>>>the 'to' field.
>>>>        
>>>>
>>>So the conferencing component would stop such messages when they are
>>>received by the component from the sender, right? I'd be fine with that.
>>>Would the messages be discarded or would they result in an error? I think
>>>discarding them is good enough.
>>>
>>>/stpeter
>>>
>>>_______________________________________________
>>>Standards-JIG mailing list
>>>Standards-JIG at jabber.org
>>>http://mailman.jabber.org/listinfo/standards-jig
>>>
>>>      
>>>
>>_______________________________________________
>>Standards-JIG mailing list
>>Standards-JIG at jabber.org
>>http://mailman.jabber.org/listinfo/standards-jig
>>
>>    
>>
>
>_______________________________________________
>Standards-JIG mailing list
>Standards-JIG at jabber.org
>http://mailman.jabber.org/listinfo/standards-jig
>  
>

-- 

Ryan Eatmon                   reatmon at jabber.org 
------------------------------------------------
Jabber.org - Perl Team    jid:reatmon at jabber.org






More information about the Standards-JIG mailing list