#11110: Pidgin appears to leak DNS for Jabber accounts
-------------------------------------+--------------------------------------
Reporter: ioerror | Owner: deryni
Type: defect | Status: pending
Milestone: | Component: XMPP
Version: 2.6.4 | Resolution:
Keywords: jabber security privacy |
-------------------------------------+--------------------------------------
Changes (by ioerror):
* status: pending => new
Comment:
It appears that the leak is in libpurble/protocols/jabber.c
Suspect calls appear to be on line 683:
»···»···»···try_srv_connect(js);
And also on 686-687:
»···»···»···js->srv_query_data = purple_txt_resolve("_xmppconnect",
»···»···»···»···»···js->user->domain, txt_resolved_cb, js);
It appears that try_srv_connect() will eventually fall back to the
defaults:
»···/* Fall back to the defaults (I'm not sure if we should actually do
this) */
»···jabber_login_connect(js, js->user->domain, js->user->domain,
»···»···»···purple_account_get_int(purple_connection_get_account(js->gc),
"port", 5222),
»···»···»···TRUE);
I think if there's a proxy configured for a jabber account, it might make
sense to simply do this in the first place. It seems unlikely that any
SOCKS proxies will support SRV or TXT records in the near future. It might
make sense to allow a user to fill in those responses manually if they
know them (and they're not often changing)...
It may be prudent to check for a proxy in jabber_stream_connect() and to
alert the user that this isn't a possible working combination.
--
Ticket URL: <http://developer.pidgin.im/ticket/11110#comment:4>
Pidgin <http://pidgin.im>
Pidgin