#1398 mod_websocket leaks explicit xmlns attr

Reporter Zash
Owner Zash
Created
Updated
Stars ★ (1)
Tags
  • Status-Fixed
  • Milestone-0.11
  • Priority-Medium
  • Type-Defect
  1. Zash on

    What steps will reproduce the problem? 1. Websocket and normal clients in a MUC (or other broadcast source) 2. ???? What is the expected output? Websocket clients see the required xmlns="jabber:client" Normal clients don't since i What do you see instead? Normal clients sometimes see explicit xmlns="jabber:client" depending on load order. What version of the product are you using? On what operating system? Probably affecting 0.10 and later, not tested. Please provide any additional information below. mod_websocket applies xmlns="jabber:client" before serialization but doesn't (and can't) undo this mutation of the stanza object. In cases where the same stanza object is broadcast to multiple recipients without Affects things like mod_smacks that check for xmlns to determine if it's a stanza or stream element. Can be fixed by cloning the stanza somewhere, either in mod_websocket or mod_muc and other modules that do broadcasts, or both. Reported by tmolitor

  2. tmolitor on

    Ideally all modules doing any form of broadcasts should clone the stanzas involved before broadcasting them, that would eliminate this bug vector entirely (hopefully).

  3. Zash on

    Fixed in https://hg.prosody.im/trunk/rev/4b3c129e96f2

    Changes
    • owner Zash
    • tags Milestone-0.11 Status-Fixed

New comment

Not published. Used for spam prevention and optional update notifications.