[Pidgin] #15879: wrong "iq" detected during login

Pidgin trac at pidgin.im
Mon Feb 10 12:19:35 EST 2014 

#15879: wrong "iq" detected during login
---------------------------------+---------------------
 Reporter:  arisia               |       Owner:  deryni
     Type:  defect               |      Status:  closed
Milestone:  2.10.9               |   Component:  XMPP
  Version:  2.10.8               |  Resolution:  fixed
 Keywords:  facebook connect iq  |
---------------------------------+---------------------

Comment (by xnyhps):

 '''ThurahT''' in #pidgin showed a log with a case that is not properly
 handled right now:

 A vCard query to yourself (initiated by retrieving info on yourself, so
 with an explicit 'to') is replied by a reply with no 'from'. This is
 legal, but libpurple doesn't allow it currently.

 This patch should fix that:

 {{{
 diff -r df5ea49543fd libpurple/protocols/jabber/iq.c
 --- a/libpurple/protocols/jabber/iq.c   Mon Feb 10 17:27:36 2014 +0100
 +++ b/libpurple/protocols/jabber/iq.c   Mon Feb 10 18:14:15 2014 +0100
 @@ -290,10 +290,12 @@
   * be a valid match if any of the following is true:
   * - Request 'to' matches reply 'from' (including the case where
   *   neither are set).
 - * - Request 'to' was empty and reply 'from' is server JID.
 + * - Request 'to' was my bare JID and reply 'from' is empty.
   * - Request 'to' was empty and reply 'from' is my JID. The spec says
   *   we should only allow bare JID, but we also allow full JID for
   *   compatibility with some servers.
 + * - Request 'to' was empty and reply 'from' is server JID. Not
 + *   allowed by any spec, but for compatibility with some servers.
   *
   * These rules should allow valid IQ replies while preventing spoofed
   * ones.
 @@ -311,6 +313,11 @@
                 return TRUE;
         }

 +       if (!from && purple_strequal(to->node, js->user->node)
 +                       && purple_strequal(to->domain, js->user->domain))
 {
 +               return TRUE;
 +       }
 +
         if (!to && purple_strequal(from->domain, js->user->domain)) {
                 /* Request 'to' is empty and reply 'from' domain matches
 our domain */

 }}}

 I made some minor changes to the documentation too, to document this case
 and emphasize that replies to your own bare JID ''shouldn't'' come from
 the server itself.

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15879#comment:35>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list