#685 resource binding should allow host

Reporter Sonny Piers
Owner Zash
Created
Updated
Stars ★ (1)  
Tags
  • Compliance
  • Priority-Medium
  • Type-Defect
  • Status-Invalid
  1. Sonny Piers on

    https://gist.github.com/sonnyp/2c967396dcb73348555cfa2123ca0c7d Prosody replies with a service-unavailable error if the iq bind stanza "to" attribute is missing the local part. However I can't seem to find anywhere in https://xmpp.org/rfcs/rfc6120.html that it is a requirement. In fact it seems the "to" attribute should contain the domain only and using the bare JID might be invalid. 8.1.1.1 XML Stanzas > Common Attributes > to > Client-to-Server Streams https://xmpp.org/rfcs/rfc6120.html#stanzas-attributes-to-c2s > A stanza sent from a client to a server for direct processing by the server [...] MUST NOT possess a 'to' attribute. 9.1.3 Detailed Examples > Resource Binding https://xmpp.org/rfcs/rfc6120.html#examples-c2s-bind I made a small patch but I couldn't find how/where to send it.

  2. Sonny Piers on

    Actually the to attribute shouldn't even be included.

  3. Zash on

    It's perfectly ok to include the XML here instead of linking to an external site, in case it ever goes away in the future. <!-- OUT --> <iq to="localhost" type="set" id="40924263533590377" xmlns="jabber:client"> <bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/> </iq> <!-- IN --> <iq id="40924263533590377" type="error" xmlns="jabber:client" from="localhost"> <error type="cancel"> <service-unavailable xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/> </error> </iq>

  4. Sonny Piers on

    My bad, double checked and it is working as expected (without "to" attribute). I got confused by the fact that the bind request succeed with "local@domain" but not with "domain". Not sure if it should be considered a bug though.

  5. Zash on

    The bind request isn't technically a stanza, since you can't send stanzas until after resource binding. But it looks like an iq stanza for historical reasons. Prosody is currently routing it as a normal iq stanza, but does not allow anything else until after resource binding. Internally, if a stanza has to='account bare jid', it removes the attribute to simplify later processing. This is why it's currently working when it actually should not. But then, the client MUST NOT send that. I'm not opposed to making this stricter, but I would not consider it a priority. One way to fix that would be https://hg.prosody.im/timber/rev/5d49c365f52c (as part of an experimental/incomplete break out of core routing code into a module).

  6. Zash on

    Changes
    • tags Status-Invalid
    • owner Zash

New comment