jdev - 2021-09-04

  1. selurvedu

    Hey. I was reading the XMPP address format RFC, and it states [0] that "domainpart = IP-literal / IPv4address / ifqdn", where ifqdn should satisfy the Nameprep profile of stringprep. That profile [1] does not prohibit spaces [2]. The domainpart section [3] of the XMPP address format RFC also states that "The domainpart for every XMPP service MUST be a fully qualified domain name (FQDN; see [DNS]), IPv4 address, IPv6 address, or unqualified hostname (i.e., a text label that is resolvable on a local network)", and according to the linked DNS RFC [4], a domain name can consist of a single space character. Does all of this mean " " is a valid JID domainpart (and automatically a valid JID)? Does this also mean that any other domainpart containing spaces is invalid? I really hope there is some other specification I'm unaware of that prohibits both, otherwise this makes a little sense to me as I never heard of any such domain names before. If all of this is (unfortunately) correct, would it be safe to disregard the standards and simply assume that any space-containing domainpart is invalid? [0]: https://datatracker.ietf.org/doc/html/rfc6122#section-2.1 [1]: https://datatracker.ietf.org/doc/html/rfc3491#section-5 [2]: https://datatracker.ietf.org/doc/html/rfc3454#appendix-C.1.1 [3]: https://datatracker.ietf.org/doc/html/rfc6122#section-2.2 [4]: https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1

  2. Zash

    selurvedu, I think what you're missing is in IDNA

  3. jonas’

    {name,sasl,node}prep never cease to amaze me

  4. Zash is still scarred from the realization that a valid HTTP URL passes nameprep

  5. Zash

    Someone configured Prosody with `VirtualHost "https://www.example.com/"` and nothing complained, but nothing worked either.

  6. Link Mauve

    Maybe do a pass of idna on it, before accepting it as a valid JID?

  7. jonas’

    which idna though?

  8. Link Mauve

    Ugh.

  9. jonas’

    :)

  10. Zash

    It's also a completely valid JID

  11. Zash

    Link Mauve, oh and that would break the Dino room and some others :)

  12. jonas’

    how?

  13. Zash

    How what?

  14. jonas’

    how would using IDNA break the dino room?

  15. Zash

    Can you guess?

  16. jonas’

    no

  17. Zash

    `@` is not valid in IDNA

  18. jonas’

    sooo?

  19. Link Mauve

    Zash, parse it as a JID, then do the IDNA on the domainpart?

  20. Zash

    Yes.

  21. jonas’

    `@` is not part of the dino room's domainpart?

  22. jonas’

    I'm confused

  23. Zash

    It is, as far as Prosody is concerned. Sorta.

  24. Zash

    Whole thing is a dirty hack of course.

  25. jonas’

    thank you for letting me know that bit I didn't want to know

  26. Zash

    It's an undocumented hack, so maybe one day it'll just disappear...