XSF Discussion - 2020-10-05

  1. Holger

    Yes yes, I just meant that having a single setting for MAM and public logs might obviously circumvent MAM's access restrictions. If the admin enabled public logging in general, and the room owner (or his client) just wants to enable MAM logging for a private group. L

  2. Holger

    Yes yes, I just meant that having a single setting for MAM and public logs might obviously circumvent MAM's access restrictions. If the admin enabled public logging in general, and the room owner (or his client) just wants to enable MAM logging for a private group.

  3. Holger

    (But seems everyone agrees now anyway. This was different last time we discussed this.)

  4. pep.

    Zash: the changesubject thing was wrong in that MUC example right? roominfo / roomconfig

  5. pep.

    Holger: everyone on a subset of 3

  6. pep.

    Maybe that's already better than last time :p

  7. Holger

    pep.: Everyone else had an entire night of time to object!

  8. Zash

    pep.: Hm? No? Just weird and inconsistent.

  9. lovetox

    is it somewhere definied what a server needs to return on disco-info to a account that does not exist?

  10. Zash

    https://xmpp.org/rfcs/rfc6120.html#rules-local-barejid-nosuchuser > For an IQ stanza, the server MUST return a <service-unavailable/> stanza error (Section 8.3.3.19) to the sender.

  11. lovetox

    ejabberd returns subscription-required

  12. lovetox

    but ok

  13. pep.

    What would you have to subscribe to to disco an account? Roster?

  14. Guus

    It might be needed to distinguish between JIDs that do not refer to an existing entity, and JIDs that are associated to users that used SASL ANON.

  15. Guus

    You can probably disco/info an anonymous user?

  16. Ge0rG

    something something user enumeration attacks

  17. Guus

    'something something' isn't going to cut it. Be more specific please.

  18. Ge0rG

    A server should ideally return the same response for an existing user as for a non-existing one, unless you are allowed to see the respective record

  19. Zash

    so that it's not trivial to find out which users exist

  20. lovetox

    yeah so subscription-required makes more sense

  21. lovetox

    because this you can return for ALL users

  22. lovetox

    while service-unavailable you can only return for users that dont exist?

  23. lovetox

    or does prosody also return that if you are not subscribed to a contact

  24. Zash

    Should be the same error in both cases

  25. lovetox

    am i allowed to disco info the contact if he sent me a message?

  26. lovetox

    or can i simply never disco info a contact im not subscribed to

  27. Zash

    no. probably.

  28. Zash

    sending a message wouldn't matter here

  29. Ge0rG

    lovetox: most servers try to stay stateless as far as possible, so incoming traffic isn't registered as any kind of auth, only presence subscriptions

  30. Zash

    Storage hit for roster lookups