[Standards] UPDATED: XEP-0313 (Message Archive Management)

Daniel Gultsch daniel at gultsch.de
Sun Jun 12 11:39:41 UTC 2016


I'm bumping this thread since it hasn't yielded too many responses since I
originally voiced my concerns.

To briefly summarize the matter again.
1) XEP-0313 Section 5.1.2 describes a way for a server to inject the
original / real jid into MUC messages.
2) This is a very useful addition to the spec in principal, however…
3) As a client I can't trust this information without a namespace bump.

This means I would love to implement this in my client but I can't.

So I would strongly suggest to bump the namespace on MAM ASAP. However
bumping namespaces is not something we should do lightly and we should
consider doing other changes as well like the stanza-ids that have been
proposed over a year ago and are generally considered a good idea?


2016-01-20 19:16 GMT+01:00 Daniel Gultsch <daniel at gultsch.de>:

> Hi,
> while I see the general need for the added x Element in forwarded muc
> messages. (I think i brought this up myself once in an earlier thread.)
> This is missing a 'Security Consideration' that servers must remove the x
> element if a users sends it. (In case the server is storing the entire
> stanza and not just the Content of the body element.) Otherwise users can
> very easily spoof messages as being from a different sender.
> However the main problem is that even if the server removes those elements
> as a client I still can't trust them because I don't know whether the
> server has added the element or a malicious user.
> I was always meaning to spark a conversation about server injecting
> elements into stanzas that don't originate from them. (ejabberd for example
> is already injecting the stanza-id (which don't get me wrong is a good
> thing in theory.) The problem is not to sanitize those stanzas on the
> server side the problem is that i don't know as a client.
> I don't have a good solution to this yet and this should definitely go
> into a different thread by maybe something about a special attribute for
> example 'by' that indicates who injected that tag and a general rule to
> remove all elements that have the attribute by with my entity - or
> something.
> cheers
> Daniel
> 2016-01-20 18:27 GMT+01:00 XMPP Extensions Editor <editor at xmpp.org>:
>> Version 0.5 of XEP-0313 (Message Archive Management) has been released.
>> Abstract: This document defines a protocol to query and control an
>> archive of messages stored on a server.
>> Changelog: [See revision history] (XEP Editor (mam))
>> Diff: http://xmpp.org/extensions/diff/api/xep/0313/diff/0.4.1/vs/0.5
>> URL: http://xmpp.org/extensions/xep-0313.html
>> _______________________________________________
>> Standards mailing list
>> Info: http://mail.jabber.org/mailman/listinfo/standards
>> Unsubscribe: Standards-unsubscribe at xmpp.org
>> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20160612/8da959d3/attachment.html>

More information about the Standards mailing list