Too restrictive usrenames in DJabberd?
Jos I. Boumans
jos at dwim.org
Thu Aug 7 16:05:42 UTC 2008
Hi,
the usernames we use in our database can contain dashes. When i tried
to authenticate
against djabberd using one of those usernames, I found that
authentication just hangs.
This led me to check in the following fixme (locally only right now)
in DJabberd::IQ:495
# XXX FIXME
# if a username contains \W, we return here and the client is left
# hanging in authentication state. We should at least send back
# an error/reject of some sort --kane
return unless $username =~ /^\w+$/;
But, looking at the Jabber spec[1], it seems that pretty much most
characters can
be used as part of the JID:
<conforming-char> ::= #x21 | [#x23-#x25] | [#x28-#x2E] |
[#x30-#x39] | #x3B | #x3D | #x3F |
[#x41-#x7E] | [#x80-#xD7FF] |
[#xE000-#xFFFD] | [#x10000-#x10FFFF]
A quick hack to add '-' to be supported showed me I had to change the
code in
3 places in IQ.pm[2], but other than that, everything worked as
expected.
Is there any reason DJabberd is overly restrictive? Is there any
objection if
I patch DJabberd to expand the allowed usernames, at least to include
the chars
mentioned above until 0x7E?
Cheers,
--
Jos
Boumans
http://www.linkedin.com/in/josboumans
How do I prove I'm not crazy to people who are?
[1] http://www.xmpp.org/extensions/xep-0029.html#sect-id2252650
[2] $ svk diff
=== lib/DJabberd/IQ.pm
==================================================================
--- lib/DJabberd/IQ.pm (revision 6915)
+++ lib/DJabberd/IQ.pm (local)
@@ -410,7 +410,7 @@
my $username = $get->("username");
my $password = $get->("password");
- return $iq->send_error unless $username =~ /^\w+$/;
+ return $iq->send_error unless $username =~ /^[\w+-]$/;
return $iq->send_error if $bjid && $bjid->node ne $username;
# create the account
@@ -458,6 +458,6 @@
}
# FIXME: use nodeprep or whatever, not \w+
- $username = '' unless $username =~ /^\w+$/;
+ $username = '' unless $username =~ /^[\w+-]+$/;
my $type = ($conn->vhost->are_hooks("GetPassword") ||
$conn->vhost->are_hooks("CheckDigest")) ? "<digest/
>" : "<password/>";
@@ -496,6 +496,6 @@
# if a username contains \W, we return here and the client is left
# hanging in authentication state. We should at least send back
# an error/reject of some sort --kane
- return unless $username =~ /^\w+$/;
+ return unless $username =~ /^[\w+-]+$/;
my $vhost = $conn->vhost;
my $reject = sub {
More information about the Djabberd
mailing list