Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Wed Sep 22 14:44:32 EDT 2010

---------- Forwarded message ----------
From: Mark Doliner <mark at kingant.net>
Date: Fri, Aug 27, 2010 at 12:49 AM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Guus der Kinderen <guus.der.kinderen at gmail.com>
Cc: daryl herzmann <akrherz at iastate.edu>,
"security at igniterealtime.org" <security at igniterealtime.org>

I'm still able to reproduce this problem :-(

One thing I noticed is that Pidgin doesn't send the raw ascii
character, but rather encodes it as &#x13;  For example, here's what
my entire set presence stanza looks like:

<presence><status>test &#x13; test</status><priority>1</priority><c
xmlns='http://jabber.org/protocol/caps' node='http://pidgin.im/'
hash='sha-1' ver='AcN1/PEN8nq7AHD+9jpxMV4U6YM=' ext='voice-v1
camera-v1 video-v1'/><x

So I'm wondering if now the igniterealtime.org server correctly
rejects ASCII character 13, but still passes through the character
when it's encoded?  Sorry for the confusion, I should have been more
clear before.


On Sun, Aug 22, 2010 at 12:21 PM, Guus der Kinderen
<guus.der.kinderen at gmail.com> wrote:
> Hi Mark,
> Daryl and me did some tests - things appear to be fixed now, for both
> the HTTPBind / BOSH as regular socket interface. There are two
> glitches that I'll solve when reworking the entire I/O implementation
> (relates to surrogates and the 0x0 char).
> Can you verify that the issue has otherwise been resolved at igniterealtime.org?
> Regards,
>   Guus
> On 17 August 2010 18:21, Mark Doliner <mark at kingant.net> wrote:
>> On Tue, Aug 17, 2010 at 4:36 AM, daryl herzmann <akrherz at iastate.edu> wrote:
>>> I also noted that your reported issue occurs in Tigase.  Hopefully we'll
>>> figure out how to fix this.
>> Oh I didn't realize that.  Thanks for checking.  I'll make sure
>> they're aware of it.
>> --Mark

More information about the security mailing list