Fwd: Openfire should not pass through non-well-formed XML
Mark Doliner
mark at kingant.net
Sun Feb 12 15:10:30 EST 2012
A 3rd email about Openfire.
---------- Forwarded message ----------
From: Guus der Kinderen <guus.der.kinderen at gmail.com>
Date: Sun, Feb 12, 2012 at 9:45 AM
Subject: Re: Openfire should not pass through non-well-formed XML
To: Mark Doliner <mark at kingant.net>
Cc: daryl herzmann <akrherz at iastate.edu>,
"security at igniterealtime.org" <security at igniterealtime.org>
Thanks for the quick follow-up Mark.
I was hoping you'd miss that missing stream error two seconds after I
pressed send. :)
Just now, we modified the code to include a stream error. I'm aware
that we're still using the old "xml_not_well_formed" (vs
"not_well_formed") variant. I'm planning to migrate all of these
occurrences in one iteration, to keep things somewhat consistent.
Thanks again!
- Guus
On 12 February 2012 07:19, Mark Doliner <mark at kingant.net> wrote:
>
> On Tue, Feb 7, 2012 at 1:39 PM, Guus der Kinderen
> <guus.der.kinderen at gmail.com> wrote:
> > I'm pretty sure we fixed this on the igniterealtime.org domain. Would you
> > care to see if you can still reproduce the issue there?
>
> Hi Guus,
>
> Just tested again. It looks like person A gets disconnected if he
> sends bad XML--great! And if person B has person A in his buddy list,
> then person B is unaffected and remains online--also great.
>
> Technically I think person A is supposed to receive a
> <not-well-formed/> stream error when he is disconnected (I didn't seem
> to receive one in my testing), but that doesn't seem too important.
>
> So nice work, definitely looks like an improvement to me!
>
> Thanks,
> Mark
More information about the security
mailing list