Too restrictive usrenames in DJabberd?
Artur Bergman
sky at crucially.net
Thu Aug 7 16:12:29 UTC 2008
There is another fixe me there as well. The solution is to use
nodeprep (I think).
First step is probably to add a method that verifies username and
lets you override that in a subclass/plugin?
Cheers
Artur
On Aug 7, 2008, at 9:05 AM, Jos I. Boumans wrote:
> Hi,
>
> the usernames we use in our database can contain dashes. When i
> tried to authenticate
> against djabberd using one of those usernames, I found that
> authentication just hangs.
>
> This led me to check in the following fixme (locally only right
> now) in DJabberd::IQ:495
>
> # XXX FIXME
> # if a username contains \W, we return here and the client is left
> # hanging in authentication state. We should at least send back
> # an error/reject of some sort --kane
> return unless $username =~ /^\w+$/;
>
> But, looking at the Jabber spec[1], it seems that pretty much most
> characters can
> be used as part of the JID:
>
> <conforming-char> ::= #x21 | [#x23-#x25] | [#x28-#x2E] |
> [#x30-#x39] | #x3B | #x3D | #x3F |
> [#x41-#x7E] | [#x80-#xD7FF] |
> [#xE000-#xFFFD] | [#x10000-#x10FFFF]
>
> A quick hack to add '-' to be supported showed me I had to change
> the code in
> 3 places in IQ.pm[2], but other than that, everything worked as
> expected.
>
> Is there any reason DJabberd is overly restrictive? Is there any
> objection if
> I patch DJabberd to expand the allowed usernames, at least to
> include the chars
> mentioned above until 0x7E?
>
> Cheers,
>
> --
>
> Jos
> Boumans
> http://www.linkedin.com/in/josboumans
>
> How do I prove I'm not crazy to people who are?
>
>
> [1] http://www.xmpp.org/extensions/xep-0029.html#sect-id2252650
>
> [2] $ svk diff
> === lib/DJabberd/IQ.pm
> ==================================================================
> --- lib/DJabberd/IQ.pm (revision 6915)
> +++ lib/DJabberd/IQ.pm (local)
> @@ -410,7 +410,7 @@
>
> my $username = $get->("username");
> my $password = $get->("password");
> - return $iq->send_error unless $username =~ /^\w+$/;
> + return $iq->send_error unless $username =~ /^[\w+-]$/;
> return $iq->send_error if $bjid && $bjid->node ne $username;
>
> # create the account
> @@ -458,6 +458,6 @@
> }
>
> # FIXME: use nodeprep or whatever, not \w+
> - $username = '' unless $username =~ /^\w+$/;
> + $username = '' unless $username =~ /^[\w+-]+$/;
> my $type = ($conn->vhost->are_hooks("GetPassword") ||
> $conn->vhost->are_hooks("CheckDigest")) ? "<digest/
> >" : "<password/>";
>
> @@ -496,6 +496,6 @@
> # if a username contains \W, we return here and the client is
> left
> # hanging in authentication state. We should at least send back
> # an error/reject of some sort --kane
> - return unless $username =~ /^\w+$/;
> + return unless $username =~ /^[\w+-]+$/;
> my $vhost = $conn->vhost;
>
> my $reject = sub {
>
More information about the Djabberd
mailing list