Fwd: [Support request] Tigase XMPP server should not pass through non-well-formed XML
mark at kingant.net
Tue Aug 17 19:21:48 EDT 2010
---------- Forwarded message ----------
From: Artur Hefczyc <artur.hefczyc at tigase.org>
Date: Tue, Aug 17, 2010 at 3:59 PM
Subject: Re: [Support request] Tigase XMPP server should not pass
through non-well-formed XML
To: mark at kingant.net
Thank you for your message and letting me know about the problem.
I will look at it at the earliest possible time.
By the way is really the 0x0b character an invalid XML character?
On Aug 17, 2010, at 2:25 PM, Tigase.org Support wrote:
> Mark Doliner sent a message using the contact form at
> Hi! As far as I've been able to tell, XMPP servers should disconnect clients
> that send illegal XML characters. And more importantly, XMPP servers
> should NOT pass through illegal XML characters.
> The original RFC3920 is a little vague on this issue (search for
> "well-formed"), but Peter Saint-Andre's current draft revision is fairly
> "An XMPP entity MUST NOT accept data that is not XML-well-formed; instead it
> MUST return an <xml-not-well-formed/> stream error and close the stream over
> which the data was received."
> I'm able to reproduce this bug using Pidgin 2.7.3 in Linux.
> 1. Start two instances of Pidgin (if you're using a single computer then you
> will probably need to use the --multiple flag)
> 2. In each instance, login to a separate account on a single Tigase server (I
> used tigase.im)
> 3. In one of the instances, set your status to "away" and type the message
> "test" then <ctrl>+<shift>+u then 013 then space. This will insert the ASCII
> character 013 aka 0x0b aka vertical tab
> 4. The other instance will be disconnected
> Background: I'm a developer on the Pidgin IM client. We had a bug reported
> to us that Pidgin clients disconnect if someone in your buddy list inserts an
> illegal XML character into their status message. I believe Pidgin's behavior
> is correct, according to the XMPP standards. This effectively allows clients
> connected to a Tigase server to perform denial of service attacks against
> each other, which is why I believe this is somewhat of a security issue.
> If you have any questions, or disagree with my conclusions, or if there is a
> better place for me to report this, please let me know and we can discuss
>  http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
>  http://xmpp.org/rfcs/rfc3920.html
>  http://tools.ietf.org/html/draft-ietf-xmpp-3920bis-12#section-11.3
> Report as inappropriate:
More information about the security