[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)

Kurt Zeilenga Kurt.Zeilenga at Isode.com
Wed Aug 5 22:25:45 UTC 2009


How fitting.  I was just reviewing security aspects of this document.

I'm particularly concerned that <include/> are to be processed by the  
importer regardless of where they appear in the input
because the input appears to contain content under user control.  For  
instance, consider for instance the import of an
export of a offline message:
> <message xmlns='jabber:client' from='romeo at montague.net/orchard' to='juliet at capulet.com 
> /balcony' type='chat'>
> <body>Neither, fair saint, if either thee dislike.</body>
> <x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/ 
> XInclude'><xi:include href="file:///dev/random"/></x>
> <delay xmlns='urn:xmpp:delay' from='capulet.com'  
> stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>

This got me wondering about what other damage could be done by  
blinding trusting content not under the administrator's
control is safe... but I have to dive deeper.

-- Kurt



More information about the Standards mailing list