[Standards] LAST CALL: XEP-0227 (Portable Import/Export Format for XMPP-IM Servers)
dave at cridland.net
Thu Aug 6 07:55:47 UTC 2009
On Wed Aug 5 23:25:45 2009, Kurt Zeilenga wrote:
> How fitting. I was just reviewing security aspects of this
> I'm particularly concerned that <include/> are to be processed by
> the importer regardless of where they appear in the input
> because the input appears to contain content under user control.
> For instance, consider for instance the import of an
> export of a offline message:
>> <message xmlns='jabber:client' from='romeo at montague.net/orchard'
>> to='juliet at capulet.com /balcony' type='chat'>
>> <body>Neither, fair saint, if either thee dislike.</body>
>> <x xmlns='http://example' xmlns:xi='http://www.w3.org/2001/
>> XInclude'><xi:include href="file:///dev/random"/></x>
>> <delay xmlns='urn:xmpp:delay' from='capulet.com'
>> stamp='1469-07-21T00:32:29Z'> Offline Storage </delay> </message>
Oh, that would be evil. It's easier to take advantage of if you use
Private XML storage, of course - which in turn reminds me that
persistent P*P nodes also need to be included in the spec.
> This got me wondering about what other damage could be done by
> blinding trusting content not under the administrator's
> control is safe... but I have to dive deeper.
I think for the most part, none, but as a general rule of thumb,
XEP-0227 does need to raise this general issue.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards