[Pidgin] #15879: wrong "iq" detected during login

Pidgin trac at pidgin.im
Thu Jan 30 12:15:20 EST 2014


#15879: wrong "iq" detected during login
---------------------------------+---------------------
 Reporter:  arisia               |       Owner:  deryni
     Type:  defect               |      Status:  new
Milestone:                       |   Component:  XMPP
  Version:  2.10.8               |  Resolution:
 Keywords:  facebook connect iq  |
---------------------------------+---------------------

Comment (by xnyhps):

 I've emailed the jdev and security mailing lists at jabber.org. See
 http://mail.jabber.org/pipermail/jdev/2014-January/089824.html.

 Seeing the observed behavior from these broken servers, I think it would
 be a valid workaround for libpurple to consider iqs from:

 * The bare domain JID
 * The full JID of Pidgin

 to be legal when expecting an iq reply with either the user's bare JID or
 no 'to'. As far as I can tell, that should have no security implications
 and would fix the problems we've seen so far.

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15879#comment:19>
Pidgin <https://pidgin.im>
Pidgin


More information about the Tracker mailing list