Too restrictive usrenames in DJabberd?

Jos I. Boumans jos at dwim.org
Thu Aug 7 16:05:42 UTC 2008


Hi,

the usernames we use in our database can contain dashes. When i tried  
to authenticate
against djabberd using one of those usernames, I found that  
authentication just hangs.

This led me to check in the following fixme (locally only right now)  
in DJabberd::IQ:495

     # XXX FIXME
     # if a username contains \W, we return here and the client is left
     # hanging in authentication state. We should at least send back
     # an error/reject of some sort --kane
     return unless $username =~ /^\w+$/;

But, looking at the Jabber spec[1], it seems that pretty much most  
characters can
be used as part of the JID:

<conforming-char> ::= #x21 | [#x23-#x25] | [#x28-#x2E] |
                       [#x30-#x39] | #x3B | #x3D | #x3F |
                       [#x41-#x7E] | [#x80-#xD7FF] |
                       [#xE000-#xFFFD] | [#x10000-#x10FFFF]

A quick hack to add '-' to be supported showed me I had to change the  
code in
3 places in IQ.pm[2], but other than that, everything worked as  
expected.

Is there any reason DJabberd is overly restrictive? Is there any  
objection if
I patch DJabberd to expand the allowed usernames, at least to include  
the chars
mentioned above until 0x7E?

Cheers,

--

   Jos  
Boumans                                                                  
          http://www.linkedin.com/in/josboumans

   How do I prove I'm not crazy to people who are?


[1] http://www.xmpp.org/extensions/xep-0029.html#sect-id2252650

[2] $ svk diff
=== lib/DJabberd/IQ.pm
==================================================================
--- lib/DJabberd/IQ.pm  (revision 6915)
+++ lib/DJabberd/IQ.pm  (local)
@@ -410,7 +410,7 @@

      my $username = $get->("username");
      my $password = $get->("password");
-    return $iq->send_error unless $username =~ /^\w+$/;
+    return $iq->send_error unless $username =~ /^[\w+-]$/;
      return $iq->send_error if $bjid && $bjid->node ne $username;

      # create the account
@@ -458,6 +458,6 @@
      }

      # FIXME:  use nodeprep or whatever, not \w+
-    $username = '' unless $username =~ /^\w+$/;
+    $username = '' unless $username =~ /^[\w+-]+$/;
      my $type = ($conn->vhost->are_hooks("GetPassword") ||
                  $conn->vhost->are_hooks("CheckDigest")) ? "<digest/ 
 >" : "<password/>";

@@ -496,6 +496,6 @@
      # if a username contains \W, we return here and the client is left
      # hanging in authentication state. We should at least send back
      # an error/reject of some sort --kane
-    return unless $username =~ /^\w+$/;
+    return unless $username =~ /^[\w+-]+$/;
      my $vhost = $conn->vhost;

      my $reject = sub {



More information about the Djabberd mailing list