Fwd: Openfire should not pass through non-well-formed XML
Mark Doliner
mark at kingant.net
Sun Feb 12 01:26:27 EST 2012
Some of you may remember that in August and September 2010 Cory
reported an issue about Pidgin sending not-well-formed XML to some
XMPP servers, and the servers would incorrectly pass through the bad
characters. We reported the issue to the Openfire and Tigase people.
Openfire emailed me earlier this week to let me know they fixed the
issue on igniterealtime.org (not sure whether the fix has been
commited or released... but it does seem like it's in the pipeline).
Forwarded email 1 or 2 is below. And I'll forward more, if there are any.
--Mark
---------- Forwarded message ----------
From: Guus der Kinderen <guus.der.kinderen at gmail.com>
Date: Tue, Feb 7, 2012 at 1:39 PM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Mark Doliner <mark at kingant.net>
Cc: daryl herzmann <akrherz at iastate.edu>,
"security at igniterealtime.org" <security at igniterealtime.org>
Hi Mark,
It's been a while, but we recently made some process on this issue.
Your hunch was correct: Openfire failed to check, for numeric
character references that pointed to characters outside of the XML 1.0
accepted character set.
I'm pretty sure we fixed this on the igniterealtime.org domain. Would
you care to see if you can still reproduce the issue there?
Kind regards,
Guus
On 27 August 2010 09:49, Mark Doliner <mark at kingant.net> wrote:
>
> I'm still able to reproduce this problem :-(
>
> One thing I noticed is that Pidgin doesn't send the raw ascii
> character, but rather encodes it as  For example, here's what
> my entire set presence stanza looks like:
>
> <presence><status>test  test</status><priority>1</priority><c
> xmlns='http://jabber.org/protocol/caps' node='http://pidgin.im/'
> hash='sha-1' ver='AcN1/PEN8nq7AHD+9jpxMV4U6YM=' ext='voice-v1
> camera-v1 video-v1'/><x
> xmlns='vcard-temp:x:update'><photo>dedfd6c7ea87110abc61f90fc6ba9f037f4edb04</photo></x></presence>
>
> So I'm wondering if now the igniterealtime.org server correctly
> rejects ASCII character 13, but still passes through the character
> when it's encoded? Sorry for the confusion, I should have been more
> clear before.
>
> --Mark
>
> On Sun, Aug 22, 2010 at 12:21 PM, Guus der Kinderen
> <guus.der.kinderen at gmail.com> wrote:
> > Hi Mark,
> >
> > Daryl and me did some tests - things appear to be fixed now, for both
> > the HTTPBind / BOSH as regular socket interface. There are two
> > glitches that I'll solve when reworking the entire I/O implementation
> > (relates to surrogates and the 0x0 char).
> >
> > Can you verify that the issue has otherwise been resolved at igniterealtime.org?
> >
> > Regards,
> >
> > Guus
> >
> > On 17 August 2010 18:21, Mark Doliner <mark at kingant.net> wrote:
> >> On Tue, Aug 17, 2010 at 4:36 AM, daryl herzmann <akrherz at iastate.edu> wrote:
> >>> I also noted that your reported issue occurs in Tigase. Hopefully we'll
> >>> figure out how to fix this.
> >>
> >> Oh I didn't realize that. Thanks for checking. I'll make sure
> >> they're aware of it.
> >>
> >> --Mark
> >>
> >
More information about the security
mailing list