Unauthorized topic changes
Thijs Alkemade
thijs at adium.im
Tue Jan 5 04:51:06 EST 2016
Hello all,
Dave Cridland reported to me privately an issue they've been noticing with
Pidgin and Openfire. Pidgin interprets every message in a MUC with a <subject>
as a topic change, yet XEP-0045 ยง7.2.16 specifies that subjects MUST NOT
contain a <body>. As some servers don't reject messages with both a <subject>
and a <body>, those cause the appearance that unauthorized users can change
the topic. It's a pretty minor issue security-wise, but I do think it should
be treated as one.
Some discussion from Openfire is here:
https://igniterealtime.org/issues/browse/OF-122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&showAll=true
Note that ejabberd was doing things wrong the other way around by adding a
<body>:
https://github.com/processone/ejabberd/commit/6c712b6caaaed35471452612d643f785bfdf11ee
so fixing this will cause a lot of topic-spam in devel at conference.pidgin.im. :)
A patch for this would be pretty simple (too lazy to add this as an
attachment):
diff -r 93ca6095dbe6 libpurple/protocols/jabber/message.c
--- a/libpurple/protocols/jabber/message.c Mon Jan 04 12:01:24 2016 -0600
+++ b/libpurple/protocols/jabber/message.c Tue Jan 05 10:37:15 2016 +0100
@@ -228,7 +228,7 @@
if(!chat)
return;
- if(jm->subject) {
+ if(jm->subject && !jm->body) {
purple_conv_chat_set_topic(PURPLE_CONV_CHAT(chat->conv), jid->resource,
jm->subject);
if(!jm->xhtml && !jm->body) {
Regards,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160105/0c999a1a/attachment.sig>
More information about the security
mailing list