https://xmpp.org/extensions/xep-0363.html#request What's the rationale for limiting headers to these 3 only?
bunghas left
pep.
(Authorization, Cookie, Expires)
alhas left
marc0shas left
marc0shas joined
pulkomandyhas left
pulkomandyhas joined
MattJ
pep.: to limit the evil that can be done by a server
MattJ
The server can return any address for the upload, including things like LAN addresses. Some HTTP security flaws can be performed through header manipulation.✎
MattJ
The server can return any address for the upload, including things like LAN addresses. Some HTTP implementation security flaws can be exploited through header manipulation. ✏
machas left
machas joined
Zash
A server running on a LAN would return a LAN address...
9lakeshas left
9lakeshas joined
pulkomandyhas left
pulkomandyhas joined
pasdesushihas left
pasdesushihas joined
Vaulorhas left
Vaulorhas joined
pep.
evil server doing evil things via their client, through a quite small attack surface
marmistrzhas left
pep.
So if tomorrow I need to pass Foo: bar because my server requires it, @#$% me?
debaclehas left
jonas’
yes.
pep.
"640K is enough for everyone" ish
jonas’
the alternative would've been to depend '363 on CORS
jonas’
which nobody wanted
jonas’
because you need to get consent from the receiving domain that the "sending" domain (your XMPP server) is allowed to formulate a request (via the client) to that domain
jonas’
which is what CORS is all about
jonas’
nobody wants CORS in XMPP
jonas’
hence, keep it simple
lovetox-has joined
Zash
Just use the standard solution to all HTTP problems: Add another reverse proxy.
lovetox-has left
jonas’
how would that help?
jonas’
oh, the xmppd being one, yes
bunghas joined
Zash
The proxy can add that header.
Zash
> So if tomorrow I need to pass Foo: bar
jonas’
or it could transform Cookie/Authorization to that header, indeed
Zash
or ?query stuff
jonas’
sure
jonas’
pep., also, given the number of stupid plastic routers and stuff like log4shell, I wouldn't consider the attack surface small.
machas left
dezanthas left
pulkomandyhas left
Martinhas left
machas joined
Martinhas joined
Martinhas left
Martinhas joined
pep.
Right so considering the server evil is now a norm I guess?
Zash
Meh
goffihas left
jgarthas left
goffihas joined
pulkomandyhas joined
goffihas left
goffihas joined
marmistrzhas joined
goffihas left
dezanthas joined
goffihas joined
atomicwatchhas left
lovetox-has joined
lovetox-has left
goffihas left
goffihas joined
goffihas left
atomicwatchhas joined
marmistrzhas left
dezanthas left
COM8has joined
COM8has left
COM8has joined
COM8has left
Wojtekhas joined
lovetox-has joined
huhnhas joined
Wojtekhas left
nephelehas joined
lovetox-has left
marmistrzhas joined
Petehas left
Petehas joined
goffihas joined
COM8has joined
COM8has left
marc0shas left
marc0shas joined
alacerhas left
raghavgururajanhas joined
alacerhas joined
COM8has joined
COM8has left
COM8has joined
COM8has left
COM8has joined
COM8has left
nephelehas left
COM8has joined
COM8has left
COM8has joined
COM8has left
serge90has joined
atomicwatchhas left
atomicwatchhas joined
PapaTutuWawahas joined
machas left
debaclehas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
marc0shas left
marc0shas joined
nephelehas joined
debaclehas left
larmahas joined
jgarthas joined
debaclehas joined
marc0shas left
marc0shas joined
pep.
HTTP Upload again, multiple times the same header seems to be unspecified?
I just realized it's written nowhere that one must forward headers to the put url, I think. It's written that one must ignore other headers and must not include them in the http request
pep.
Maybe it could also be hinted that http handles multiple headers just fine
pep.
"just fine" (I hear)
jonas’
"the server providing the headers will know what it's doing, eh"
Zash
If you control both the client and server, you can of course use forbidden headers all you want