Comments (7)
Gordin
commented on July 28, 2024
Thanks for finding this, there really is no check for this in strophe. I made a fix here: Gordin/strophejs@strophe:master...websocket
This allows more than the RFC does when the to is empty because some servers are broken, but spoofing should not be possible any more.
Can you test this and verify that this fixes the problem?
from strophejs.
xnyhps
commented on July 28, 2024
Sorry for the delay. I've verified that it works with those changes, the spoofed replies are now properly ignored.
from strophejs.
isfarax
commented on July 28, 2024
errrm, do you guys realise that some stanzas are not required to have certain attributes.
for example, when requesting your own vCard, you do not always need to provide 'from' attribute.
from strophejs.
xnyhps
commented on July 28, 2024
@isfarax A client never needs to specify a 'from' attribute. This isn't about specifying attributes, this is about verifying them on incoming stanzas.
If you request your own vCard, you want to make sure the reply comes from your own server, not from a malicious contact.
from strophejs.
isfarax
commented on July 28, 2024
ok, makes sense.
Can you give us a method to repeat this scenario please. I would like to investigate this problem.
from strophejs.
Flowdalic
commented on July 28, 2024
Is this issue fixed?
from strophejs.
jcbrand
commented on July 28, 2024
This appears to be fixed in 42340f5
Closing.
from strophejs.
Related Issues (20)
- React Native / iOS WebSocket onopen not callback,why? HOT 2
- [Feature] Have a "real" ESM support HOT 3
- Broken dependencies in React HOT 5
- Report the "from" attribute of the opening <open /> tag HOT 1
- addHandler 'stream:error' can not receive message HOT 2
- XEP-0237 is Obsolete, It is preferable to use it in production system, If not then is there any alternate available? HOT 5
- Uncaught TypeError: (o, strophe_WEBPACK_IMPORT_MODULE_1.$msg) is not a function HOT 1
- Websocket disconnect broken
- strophe > 1.5.0 no longer works in React Native HOT 4
- TypeError: XHTML.validTag is not a function
- video calls HOT 1
- When chatting in multiple groups, Message loss
- When chatting in multiple groups, Message loss HOT 4
- Invalid Token with OAuth HOT 1
- SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512-PLUS + SCRAM-SHA3-512(-PLUS) supports
- TypeError: Cannot read properties of null (reading 'send')
- How to send raw xml string over the connection ?
- Detach old upstream HOT 3
- How to resume a stream as specified in XEP-0198 Stream management ?
- New release build? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strophejs.