[ejabberd] mod muc - actor element

Badlop badlop at gmail.com
Tue Apr 23 12:39:30 MSK 2013


On 22 April 2013 04:53, Purvesh Sahoo <jimpu2 at gmail.com> wrote:

> I implemented support for this, so I thought I'd share what I had till
> now. I've attached a patch for this.
>


The XEP says ( http://xmpp.org/extensions/xep-0045.html#kick )
> The service MUST remove the kicked occupant by sending a presence stanza
of type "unavailable" to each kicked occupant, including [...] the roomnick
or bare JID of the user who initiated the kick.

but your code sends the full JID, not the roomnick or bare JID:
    <item affiliation='none'
role='none'>
      <actor jid='user1admin at localhost/tkabber-home'/>
    </item>

That example room was configured to display occupant full JIDs only to room
admins, but the kicked occupant got the admin full JID without being admin
at all. In conclusion, that patch introduces a way to leak information.

Can you take a look if it's simple to update your code to provide only the
kicker room nick, instead of its full JID?


--
Badlop
ProcessOne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20130423/0fac2def/attachment.html>


More information about the ejabberd mailing list