[Psi-Devel] Psi and MUC problem
omega1 at altern.org
Fri Aug 1 09:58:37 PDT 2008
Hi folks !
Today I've encountered a relatively severe bug using psi and a MUC room
(specifically mu-conference, but I've tested with ejabberd's mod_muc and the
same problem occurs).
This bug allow anyone to kick every psi user of a room (tested with psi-0.11
and psi-svn from yesterday). The principe is simple, just send a buggy
encrypted message to a MUC room and every psi user will just happen to leave
the room. The problem is that Psi sends an error when it can't decode an
encrypted message (not-acceptable), and the MUC kick a user when it receives
an error message from this user.
I'm not sure if the problem is on the Psi side (the XEP-0027 doesn't say to
send an error back when the client can't decrypt a message), or on the MUC
implementations side (the XEP-0045 says "A MUC service SHOULD remove a user
if the service receives a delivery-related error in relation to a stanza it
has previously sent to the user (remote server unreachable, user not found,
etc.).", but does an not-acceptable error can be considered as a
delivery-related error ?).
xmpp:omega at im.apinc.org
More information about the Psi-Devel