[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)
Kurt.Zeilenga at Isode.com
Wed Aug 5 22:25:45 UTC 2009
How fitting. I was just reviewing security aspects of this document.
I'm particularly concerned that <include/> are to be processed by the
importer regardless of where they appear in the input
because the input appears to contain content under user control. For
instance, consider for instance the import of an
export of a offline message:
> <message xmlns='jabber:client' from='romeo at montague.net/orchard' to='juliet at capulet.com
> /balcony' type='chat'>
> <body>Neither, fair saint, if either thee dislike.</body>
> <x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/
> XInclude'><xi:include href="file:///dev/random"/></x>
> <delay xmlns='urn:xmpp:delay' from='capulet.com'
> stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>
This got me wondering about what other damage could be done by
blinding trusting content not under the administrator's
control is safe... but I have to dive deeper.
More information about the Standards