Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Sun Feb 12 01:26:51 EST 2012


Forwarded email 2 of 2 is below.

---------- Forwarded message ----------
From: Mark Doliner <mark at kingant.net>
Date: Sat, Feb 11, 2012 at 10:19 PM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Guus der Kinderen <guus.der.kinderen at gmail.com>
Cc: daryl herzmann <akrherz at iastate.edu>,
"security at igniterealtime.org" <security at igniterealtime.org>


On Tue, Feb 7, 2012 at 1:39 PM, Guus der Kinderen
<guus.der.kinderen at gmail.com> wrote:
> I'm pretty sure we fixed this on the igniterealtime.org domain. Would you
> care to see if you can still reproduce the issue there?

Hi Guus,

Just tested again.  It looks like person A gets disconnected if he
sends bad XML--great!  And if person B has person A in his buddy list,
then person B is unaffected and remains online--also great.

Technically I think person A is supposed to receive a
<not-well-formed/> stream error when he is disconnected (I didn't seem
to receive one in my testing), but that doesn't seem too important.

So nice work, definitely looks like an improvement to me!

Thanks,
Mark


More information about the security mailing list