Fwd: Openfire should not pass through non-well-formed XML

Mark Doliner mark at kingant.net
Sun Feb 12 15:10:30 EST 2012


A 3rd email about Openfire.

---------- Forwarded message ----------
From: Guus der Kinderen <guus.der.kinderen at gmail.com>
Date: Sun, Feb 12, 2012 at 9:45 AM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Mark Doliner <mark at kingant.net>
Cc: daryl herzmann <akrherz at iastate.edu>,
"security at igniterealtime.org" <security at igniterealtime.org>


Thanks for the quick follow-up Mark.

I was hoping you'd miss that missing stream error two seconds after I
pressed send. :)

Just now, we modified the code to include a stream error. I'm aware
that we're still using the old "xml_not_well_formed" (vs
"not_well_formed") variant. I'm planning to migrate all of these
occurrences in one iteration, to keep things somewhat consistent.

Thanks again!

 - Guus

On 12 February 2012 07:19, Mark Doliner <mark at kingant.net> wrote:
>
> On Tue, Feb 7, 2012 at 1:39 PM, Guus der Kinderen
> <guus.der.kinderen at gmail.com> wrote:
> > I'm pretty sure we fixed this on the igniterealtime.org domain. Would you
> > care to see if you can still reproduce the issue there?
>
> Hi Guus,
>
> Just tested again.  It looks like person A gets disconnected if he
> sends bad XML--great!  And if person B has person A in his buddy list,
> then person B is unaffected and remains online--also great.
>
> Technically I think person A is supposed to receive a
> <not-well-formed/> stream error when he is disconnected (I didn't seem
> to receive one in my testing), but that doesn't seem too important.
>
> So nice work, definitely looks like an improvement to me!
>
> Thanks,
> Mark


More information about the security mailing list