[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)

Dave Cridland dave at cridland.net
Thu Aug 6 07:55:47 UTC 2009

On Wed Aug  5 23:25:45 2009, Kurt Zeilenga wrote:
> How fitting.  I was just reviewing security aspects of this  
> document.
> I'm particularly concerned that <include/> are to be processed by  
> the  importer regardless of where they appear in the input
> because the input appears to contain content under user control.   
> For  instance, consider for instance the import of an
> export of a offline message:
>> <message xmlns='jabber:client' from='romeo at montague.net/orchard'  
>> to='juliet at capulet.com /balcony' type='chat'>
>> <body>Neither, fair saint, if either thee dislike.</body>
>> <x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/  
>> XInclude'><xi:include href="file:///dev/random"/></x>
>> <delay xmlns='urn:xmpp:delay' from='capulet.com'   
>> stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>
Oh, that would be evil. It's easier to take advantage of if you use  
Private XML storage, of course - which in turn reminds me that  
persistent P*P nodes also need to be included in the spec.

> This got me wondering about what other damage could be done by   
> blinding trusting content not under the administrator's
> control is safe... but I have to dive deeper.

I think for the most part, none, but as a general rule of thumb,  
XEP-0227 does need to raise this general issue.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Standards mailing list