Too restrictive usrenames in DJabberd?

Artur Bergman sky at crucially.net
Thu Aug 7 16:12:29 UTC 2008 

There is another fixe me there as well. The solution is to use  
nodeprep (I think).

First step is probably to add a method that verifies username and  
lets you override that in a subclass/plugin?

Cheers
Artur

On Aug 7, 2008, at 9:05 AM, Jos I. Boumans wrote:

> Hi,
>
> the usernames we use in our database can contain dashes. When i  
> tried to authenticate
> against djabberd using one of those usernames, I found that  
> authentication just hangs.
>
> This led me to check in the following fixme (locally only right  
> now) in DJabberd::IQ:495
>
>     # XXX FIXME
>     # if a username contains \W, we return here and the client is left
>     # hanging in authentication state. We should at least send back
>     # an error/reject of some sort --kane
>     return unless $username =~ /^\w+$/;
>
> But, looking at the Jabber spec[1], it seems that pretty much most  
> characters can
> be used as part of the JID:
>
> <conforming-char> ::= #x21 | [#x23-#x25] | [#x28-#x2E] |
>                       [#x30-#x39] | #x3B | #x3D | #x3F |
>                       [#x41-#x7E] | [#x80-#xD7FF] |
>                       [#xE000-#xFFFD] | [#x10000-#x10FFFF]
>
> A quick hack to add '-' to be supported showed me I had to change  
> the code in
> 3 places in IQ.pm[2], but other than that, everything worked as  
> expected.
>
> Is there any reason DJabberd is overly restrictive? Is there any  
> objection if
> I patch DJabberd to expand the allowed usernames, at least to  
> include the chars
> mentioned above until 0x7E?
>
> Cheers,
>
> --
>
>   Jos  
> Boumans                                                                
>            http://www.linkedin.com/in/josboumans
>
>   How do I prove I'm not crazy to people who are?
>
>
> [1] http://www.xmpp.org/extensions/xep-0029.html#sect-id2252650
>
> [2] $ svk diff
> === lib/DJabberd/IQ.pm
> ==================================================================
> --- lib/DJabberd/IQ.pm  (revision 6915)
> +++ lib/DJabberd/IQ.pm  (local)
> @@ -410,7 +410,7 @@
>
>      my $username = $get->("username");
>      my $password = $get->("password");
> -    return $iq->send_error unless $username =~ /^\w+$/;
> +    return $iq->send_error unless $username =~ /^[\w+-]$/;
>      return $iq->send_error if $bjid && $bjid->node ne $username;
>
>      # create the account
> @@ -458,6 +458,6 @@
>      }
>
>      # FIXME:  use nodeprep or whatever, not \w+
> -    $username = '' unless $username =~ /^\w+$/;
> +    $username = '' unless $username =~ /^[\w+-]+$/;
>      my $type = ($conn->vhost->are_hooks("GetPassword") ||
>                  $conn->vhost->are_hooks("CheckDigest")) ? "<digest/ 
> >" : "<password/>";
>
> @@ -496,6 +496,6 @@
>      # if a username contains \W, we return here and the client is  
> left
>      # hanging in authentication state. We should at least send back
>      # an error/reject of some sort --kane
> -    return unless $username =~ /^\w+$/;
> +    return unless $username =~ /^[\w+-]+$/;
>      my $vhost = $conn->vhost;
>
>      my $reject = sub {
>

More information about the Djabberd mailing list