[JDEV] Re: jabber; what would you like to see?

Ulrich B. Staudinger us at die-horde.de
Thu Sep 25 08:05:22 CDT 2003

Richard Dobson wrote:

>>What I picture is that one could have a scripting languague within the
>>packets, for example:
>><iq type="get">
>><query xmlns="bla bla">
>>for ($i=0; $i<$@#users) {
>>   echo "<message to=@user[$i]> In my new roster bla bla ";
>>createrostergroup(@users, "newrostergroup");
>>return @users;
>Sorry but to me anyone doing something like this should be shot, having
>scripting send inside packets to be processed by the endpoint like this is a
>security hole of an enormous magnetude, and we definately should not be
>doing anything like this. This is kind of like word macros, it can have some
>benefits but the potential for abuse is massive, it would require all sorts
>of extra security stuff to even attempt to secure it. Overall I think the
>downsides are far more than the benefit of the convenience, the best thing
>is to continue doing what we have been doing and creating protocols for set
>purposes. We don't need the flexibility of a scripting system as we already
>have the flexibility/extensibility of XML and the jabber protocol to do
>things like this without creating massive security holes.
Maybe not shot - only dipped into cold coffee for more than an hour ...
+1 - absolutely not supportable from my side.

>jdev mailing list
>jdev at jabber.org

Ulrich B. Staudinger
email: us at die-horde.de
jid: uls at jabber.org

current project: REDHORN

Blog: http://jabber.linux.it/jogger/user.php?jid=uls@jabber.org

More information about the JDev mailing list