[standards-jig] Version 0.5 of JEP-0045

Richard Dobson richard at dobson-i.net
Tue Sep 24 08:54:50 CDT 2002


Exactly at the very least it must simple ignore the message, since it is
potentially malicious thing that is trying to be protected against.

Richard

----- Original Message -----
>From: "David Sutton" <jabber at dsutton.legend.uk.com>
To: <standards-jig at jabber.org>
Sent: Tuesday, September 24, 2002 2:53 PM
Subject: Re: [standards-jig] Version 0.5 of JEP-0045

This is, of course, based on the assumption that the client had simply
been coded incorrectly. I guess I was thinking of someone deliberately
sending that xml.

Regards,

  David

On Tue, Sep 24, 2002 at 08:41:35AM -0500, Ryan Eatmon wrote:
>
> I'd like to point out that fixing something that a Client is doing wrong
> is a Bad Thing TM.  It fosters the creation of sloppy Clients that will
> work with this one Component, but won't work with others.  Part of the
> reason of creating standards is so that everyone knows what to code
> against.  Set that standard correctly, and let everyone else develop
> against it.
>
>
> Peter Saint-Andre wrote:
>
> >On reflection, I think option #3 makes the most sense, but I admit that
> >we're attempting to interpret the intentions of the sender (or the
> >sender's client).
> >
> >Peter
> >
> >--
> >Peter Saint-Andre
> >Jabber Software Foundation
> >http://www.jabber.org/people/stpeter.html
> >
> >On Tue, 24 Sep 2002, Richard Dobson wrote:
> >
> >
> >
> >>Ah I get the point now,
> >>
> >>So the sender sends:
> >>
> >><message to='jdev at conference.jabber.org/receiver'
> >>type='groupchat'><body>test</body></message>
> >>
> >>The receiver receives:
> >>
> >><message from='jdev at conference.jabber.org/sender'
> >>to='receiver at jabber.org/resource'
> >>type='groupchat'><body>test</body></message>
> >>
> >>Which seems to be from the room so the groupchat component when bouncing
> >>the
> >>message should either
> >>
> >>1) send back an error:
> >>
> >><message from='jdev at conference.jabber.org/receiver'
> >>to='sender at jabber.org/resource' type='error'>
> >>   <body>test</body>
> >>   <error code='400'>Bad request</error>
> >></message>
> >>
> >>Problem with the error is that unless the sender specifies an id the
> >>sender/client will not know necessarily what action it relates to.
> >>
> >>2) Or interpret it as a message to the room and just send it to all
> >>participants instead of just the one.
> >>
> >>3) Change it to type "chat" on the way through.
> >>
> >>4) Ignore the message.
> >>
> >>Richard
> >>
> >>----- Original Message -----
> >>From: "Peter Saint-Andre" <stpeter at jabber.org>
> >>To: <standards-jig at jabber.org>
> >>Sent: Tuesday, September 24, 2002 5:55 AM
> >>Subject: Re: [standards-jig] Version 0.5 of JEP-0045
> >>
> >>
> >>
> >>
> >>>On Mon, 23 Sep 2002, David Sutton wrote:
> >>>
> >>>
> >>>
> >>>>A room groupchat message takes the form:
> >>>>
> >>>><message from='jdev at conference.jabber.org/sender'
> >>>>to='receiver at jabber.org' type='groupchat'><body>test</body></message>
> >>>>
> >>>>
> >>>Actually there is a resource on the 'to' address, no? We need to
> >>>differentiate between what the sending client sends and what the
> >>>receiving
> >>>client receives.
> >>>
> >>>The sender sends:
> >>>
> >>><message to='jdev at conference.jabber.org'
> >>>type='groupchat'><body>test</body></message>
> >>>
> >>>The receiver receives:
> >>>
> >>><message from='jdev at conference.jabber.org/sender'
> >>>to='receiver at jabber.org/resource'
> >>>type='groupchat'><body>test</body></message>
> >>>
> >>>
> >>>
> >>>>If I send a message through the conference server to a user, and set
the
> >>>>type to be groupchat, then the client receives exactly the same
message.
> >>>>You just don't know if it was announced to the room, or whether it was
> >>>>directed. This could make unsuspected people to start making comments
in
> >>>>response to messages they believed everyone in the room also saw. The
> >>>>sender just turns around and says that they never sent anything, and
the
> >>>>room logs would prove that point.
> >>>>
> >>>>Its an exploit in the sense of social engineering. Its easily stopped
by
> >>>>rejecting any messages received with type 'groupchat' and a resource
in
> >>>>the 'to' field.
> >>>>
> >>>>
> >>>So the conferencing component would stop such messages when they are
> >>>received by the component from the sender, right? I'd be fine with
that.
> >>>Would the messages be discarded or would they result in an error? I
think
> >>>discarding them is good enough.
> >>>
> >>>/stpeter
> >>>
> >>>_______________________________________________
> >>>Standards-JIG mailing list
> >>>Standards-JIG at jabber.org
> >>>http://mailman.jabber.org/listinfo/standards-jig
> >>>
> >>>
> >>>
> >>_______________________________________________
> >>Standards-JIG mailing list
> >>Standards-JIG at jabber.org
> >>http://mailman.jabber.org/listinfo/standards-jig
> >>
> >>
> >>
> >
> >_______________________________________________
> >Standards-JIG mailing list
> >Standards-JIG at jabber.org
> >http://mailman.jabber.org/listinfo/standards-jig
> >
> >
>
> --
>
> Ryan Eatmon                   reatmon at jabber.org
> ------------------------------------------------
> Jabber.org - Perl Team    jid:reatmon at jabber.org
>
>
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig

--
David Sutton
Email: dsutton at legend.co.uk
Jabber: peregrine at legend.net.uk





More information about the Standards-JIG mailing list