jdev - 2020-10-24


  1. lovetox

    should a client check the jid on a iq response

  2. lovetox

    i use a uuid as iq id

  3. lovetox

    and i dont check if the jid in the response is the jid i did send the iq too

  4. lovetox

    and i dont check if the jid in the response is the jid i did send the iq to

  5. lovetox

    because i always thought its almost impossible that another account can send me a response with this id that fits what i expect

  6. Ge0rG

    I think we pondered about that in the past and tried to come up with situations where you leak the id of an in-flight IQ to third parties. But I'm not sure what the outcome was

  7. Zash

    Why wouldn't you check the JID?

  8. lovetox

    because its additional work

  9. Ge0rG

    still it's good practice to check the sender JID

  10. lovetox

    there should be a gain which we could name

  11. lovetox

    but i just realized its very easy to do this

  12. lovetox

    right now i have the callbacks in a dict

  13. lovetox

    id: callbacks

  14. lovetox

    and i just need to save it like (jid, id): callback

  15. Ge0rG

    don't forget to expire them from the map after a timeout