Pidgin disconnect upon reception of a backspace

Paul Aurich paul at darkrain42.org
Sun Oct 3 18:18:56 EDT 2010 

On 2010-09-28 04:46, Nicolas Anonyme wrote:
> I'm working in a small (french) company (~ 350 ppl)
> 
>     * and everyone is connected to an internal XMPP server (OpenFire I
>       think)

You're almost certainly using Openfire :/

>     * and the IM clients are a mix of spark / pidgin / gajim / psi / etc.
> 
> 
> Yesterday a coworker sent a block of binary data in a message to another
> coworker and it *disconnected him every time* (both were using pidgin).
> 
> We quickly isolated the culprit : a simple "*backspace*".
> Two other clients (spark and psi) filter it out of messages (either when
> sending it or when receiving it), but pidgin an gajim does not.
> And only those last two disconnect when receiving this character.
> 

<snip/>

> Maybe it's the task of the server to filter such unwanted content, but
> pidgin would gain stability and usability on being more fault tolerant
> on this one (IMHO).

This is actually a common-ish question (and I'm tempted to put it into
the FAQ).  The XMPP standards are actually very explicit about how to
handle receipt of invalid XML (&#x1; and any other entity-encoded
references to ascii control characters other than \n, \r, and \t are
invalid XML 1.0).  I broke it down more fully in the comments on ticket
#12170 [1], but the long and short of is that we MUST NOT accept invalid
XML and MUST disconnect the stream.

That constraint also applies to servers -- Openfire *certainly*
shouldn't be routing the stanzas, but it also shouldn't be "filtering"
them out; it should be disconnecting the sender (this is what almost all
other servers do).  There's a ticket on Openfire's tracker for this [2]
(which appears to be closed -- I haven't tested Openfire 3.7.0beta), and
I know another Pidgin developer has been in contact with the Openfire
devs directly about this behavior violating the standards and causing
client issues.

[1] http://developer.pidgin.im/ticket/12170
[2] http://issues.igniterealtime.org/browse/OF-91

Thanks,
~Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20101003/6ae6813b/attachment.pgp>

More information about the security mailing list