[ejabberd] problem with components and in-band registration

Steven Lehrburger lehrburger at gmail.com
Sun May 6 05:08:48 MSK 2012


In case anyone is curious in the future about how I ended up resolving this:

https://github.com/lehrblogger/ejabberd/commit/84bd73d428f81151d71a61eabfefe7a461f72470


There's more detail in the commit message, but essentially I'm allowing a
registration attempt with a failed IP check to proceed if the user making
the attempt is on an access control list in ejabberd.cfg. I learned after
this was mostly done about ejabberd_xmlrpc, which might be a better way to
do what I want, so I might change it in the future. Thoughts/feedback
appreciated!

Cheers,
Steven


On Tue, May 1, 2012 at 11:13 AM, Steven Lehrburger <lehrburger at gmail.com>wrote:

> Hi,
>
> Im working on an application that needs to use an XMPP component bot to
> register new accounts on behalf of my users, but it's failing some sort of
> IP check.
>
> I figured out the changes I needed to make to ejabberd.cfg, and patched
> mod_register.erl, as described here:
>
> http://www.ejabberd.im/node/5020
>
> with a couple of other small changes so that
> send_registration_notifications/2 was able to handle a JID as its Source in
> addition to an IP. This worked fine with a SleekXMPP test client script
> like this one:
>
>
> https://github.com/lehrblogger/SleekXMPP/blob/develop/examples/register_account_for_other.py
>
>
> When I try to make a similar registration IQ from my component, I get an
> error like this one:
>
> =ERROR REPORT==== 2012-04-30 23:30:22 ===
> E(<0.8727.0>:gen_iq_handler:118) : {{case_clause,{allow,true}},
>                                     [{mod_register,try_register,5},
>                                      {mod_register,
>                                       try_register_or_set_password,9},
>                                      {gen_iq_handler,process_iq,6},
>                                      {gen_iq_handler,handle_info,2},
>                                      {gen_server,handle_msg,5},
>                                      {proc_lib,init_p_do_apply,3}]}
>
>
> I'm pretty new to Erlang and ejabberd, so I've not quite been able to get
> to the bottom of what's wrong. try_register/5 in mod_register.erl is
> calling check_ip_access/2 here:
>
> https://github.com/processone/ejabberd/blob/2.1.x/src/mod_register.erl#L330
>
> which in turn calls ejabberd_sm:get_user_ip here/3:
>
> https://github.com/processone/ejabberd/blob/2.1.x/src/mod_register.erl#L609
>
> which then tries to look up something in mnesia here:
>
> https://github.com/processone/ejabberd/blob/2.1.x/src/ejabberd_sm.erl#L154
>
> which returns [], which matches to return undefined, and that causes
> try_register to throw an error.
>
> My best guess is that ejabberd is checking to make sure that requests are
> coming from a client IP that it knows has connected, which seems like a
> good thing to do for security, and that it *is not* keeping track of those
> IPs by default for components. When it tries to verify the component is
> from a connected IP, it finds nothing in mnesia, and blocks the
> registration.
>
> What's the simplest way to patch ejabberd and fix this, without breaking
> anything else or opening any security holes?
>
> Thanks!
>
> Cheers,
> Steven
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20120505/e35bfe6b/attachment.html>


More information about the ejabberd mailing list