Difference between revisions of "XEP-Remarks/XEP-0280: Message Carbons"

XEP-Remarks/XEP-0280: Message Carbons (view source)

231 bytes added , 13:09, 28 January 2021

no edit summary

145

edits

@@ Line 15: / Line 15: @@
 = Client-Side Processing =
-Carbons MUST NOT be accepted from JIDs other than the user's bare account JID!
+'''Carbons MUST NOT be accepted from JIDs other than the user's bare account JID''', or else:
+* [https://op-co.de/tmp/CVE-2017-5589.html CVE-2017-5589+ Multiple XMPP Clients User Impersonation Vulnerability]
+* [https://gultsch.de/dino_multiple.html CVE-2019-16235+ Multiple Vulnerabilities found in Dino]
 Before processing a Carbon, the client must determine whether the message was a MUC-PM or a regular chat message (this might require an IQ round-trip to the sending entity).
@@ Line 23: / Line 26: @@
 # If the forwarded message contains an <tt><x xmlns='http://jabber.org/protocol/muc'></tt> payload, it's a PM
 # If the partner's bare JID is a known MUC (joined, listed in bookmarks), it's a PM
-# If the partner's bare JID is in the roster, it's *probably* a normal message (shakes fist at Gajim)
+# If the partner's bare JID is in the roster, it's '''probably''' a normal message (shakes fist at Gajim)
 # If still undetermined, send a <tt>disco#info</tt> IQ to the partner's bare JID and delay processing of the Carbon (yes, ewwww!)
 # If the <tt>disco#info</tt> response contains <tt><feature var='http://jabber.org/protocol/muc'/></tt> then it's a PM, otherwise it's a normal message. Cache the disco result for next time!