Unauthorized topic changes

Thijs Alkemade thijs at adium.im
Tue Jan 5 04:51:06 EST 2016

Hello all,

Dave Cridland reported to me privately an issue they've been noticing with
Pidgin and Openfire. Pidgin interprets every message in a MUC with a <subject>
as a topic change, yet XEP-0045 ยง7.2.16 specifies that subjects MUST NOT
contain a <body>. As some servers don't reject messages with both a <subject>
and a <body>, those cause the appearance that unauthorized users can change
the topic. It's a pretty minor issue security-wise, but I do think it should
be treated as one.

Some discussion from Openfire is here:


Note that ejabberd was doing things wrong the other way around by adding a


so fixing this will cause a lot of topic-spam in devel at conference.pidgin.im. :)

A patch for this would be pretty simple (too lazy to add this as an

diff -r 93ca6095dbe6 libpurple/protocols/jabber/message.c
--- a/libpurple/protocols/jabber/message.c      Mon Jan 04 12:01:24 2016 -0600
+++ b/libpurple/protocols/jabber/message.c      Tue Jan 05 10:37:15 2016 +0100
@@ -228,7 +228,7 @@

-       if(jm->subject) {
+       if(jm->subject && !jm->body) {
                purple_conv_chat_set_topic(PURPLE_CONV_CHAT(chat->conv), jid->resource,
                if(!jm->xhtml && !jm->body) {

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160105/0c999a1a/attachment.sig>

More information about the security mailing list