[Standards] What is the size limit of node and item ids in XEP-0060: Publish-Subscribe?

Peter Saint-Andre stpeter at stpeter.im
Tue Mar 6 01:59:04 UTC 2018


On 3/5/18 12:17 AM, Jonas Wielicki wrote:
> On Sonntag, 4. März 2018 19:42:39 CET Peter Saint-Andre wrote:
>> On 3/4/18 10:54 AM, Jonas Wielicki wrote:
>>> On Sonntag, 4. März 2018 17:02:07 CET Peter Saint-Andre wrote:
>>>> If we want to specify this, I would recommend the UsernameCaseMapped
>>>> profile defined in RFC 8265.
>>>>
>>>> However, there's a twist: if a node ID can be a full JID, then do we
>>>> want to apply the normal rules of RFC 7622 to all the JID parts, instead
>>>> of one uniform profile such as UsernameCaseMapped to the entire node ID?
>>>> For instance, the resourcepart of a JID is allowed to contain a much
>>>> wider range of Unicode characters than is allowed by the
>>>> UsernameCaseMapped profile of the PRECIS IdentifierClass (which we use
>>>> for the localpart).
>>>>
>>>> Given that a node ID can be used for authorization decisions, I think
>>>> it's better to be conservative in what we accept (specifically, not
>>>> allow the wider range of characters in a resourcepart because
>>>> developers, and attackers, could get too "creative").
>>>
>>> I would argue that adding those restrictions / any kind of string prepping
>>> to XEP-0060 or XEP-0030 nodes is (a) too late and (b) ambiguous at least,
>>> as you mentioned (depending on the data).
>>
>> I would argue that not specifying normalization rules is a security hole
>> (e.g., allowing an attacker to gain unauthorized access to a node). Just
>> because we should've done this years ago doesn't mean we can fix it now.
> 
> Hm, okay, I don’t seem to understand the attack vector. Could you spell it out 
> more clearly to me?

Here's a true, non-XMPP example: I have the account stpeter at gmail.com.
However, Google ignores "." in the localpart. Therefore I receive some
email messages intended for st.peter at gmail.com. I could probably reset
passwords (via email-based authentication) and take over other accounts
associated with st.peter at gmail.com.

Similarly, let's say you create a node "foo2" at pubsub.example.com. If
I know that this service decomposes superscript characters to their
compatibility equivalents, I could create a node "foo²" (the last
character is U+00B2 = SUPERSCRIPT TWO) and the service would consider it
to be the same as "foo2". Now I can publish notifications to your node
without ever trying to take over your account - I just use my "foo²" node.

Here is a real-world example (using an old version of XMPP nodeprep, no
less!):

https://labs.spotify.com/2013/06/18/creative-usernames/

Let me know if the attack vector is still not clear. :-)

Peter


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20180305/be857632/attachment-0001.sig>


More information about the Standards mailing list