Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Wed Sep 22 14:44:21 EDT 2010

FYI, just keeping people up to date on two more emails about OpenFire
passing through invalid XML characters.


---------- Forwarded message ----------
From: Guus der Kinderen <guus.der.kinderen at gmail.com>
Date: Sun, Aug 22, 2010 at 12:21 PM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Mark Doliner <mark at kingant.net>
Cc: daryl herzmann <akrherz at iastate.edu>,
"security at igniterealtime.org" <security at igniterealtime.org>

Hi Mark,

Daryl and me did some tests - things appear to be fixed now, for both
the HTTPBind / BOSH as regular socket interface. There are two
glitches that I'll solve when reworking the entire I/O implementation
(relates to surrogates and the 0x0 char).

Can you verify that the issue has otherwise been resolved at igniterealtime.org?



On 17 August 2010 18:21, Mark Doliner <mark at kingant.net> wrote:
> On Tue, Aug 17, 2010 at 4:36 AM, daryl herzmann <akrherz at iastate.edu> wrote:
>> I also noted that your reported issue occurs in Tigase.  Hopefully we'll
>> figure out how to fix this.
> Oh I didn't realize that.  Thanks for checking.  I'll make sure
> they're aware of it.
> --Mark

More information about the security mailing list