Non-Sasl authentication shouldn't allow for spaces post- or prepending the provided form data.

Description

Currently, Openfire silently trims the values that are provided by a client in jabber:iq:auth forms. This leads to unexpected results, as those values are most likely to be re-used by the clients in JIDs.

Spaces aren't allowed in JID nodes, for example. By trimming the username element text value in the jabber:iq:auth form, Openfire causes a lot of confusion.

Instead, Openfire should not modify the values provided by the clients. If invalid authentication data is provided, XEP-0078 suggests that a not-authorized error is returned.

Environment

None

Activity

Show:

Guus der Kinderen

October 16, 2008, 3:53 PM

Copy link to comment

Applied fix that was tested locally.

IQAuthHandler will now:

parse data as it is provided by the client. Data won't be trimmed any longer, although some toLowerCase() calls remain;
return not-authorized if invalid data was provided during authentication.

Fixed

Assignee

Gaston Dombiak

Reporter

Guus der Kinderen

Labels

None

Expected Effort

None

Ignite Forum URL

None

Fix versions

3.6.1

Priority

Major

Configure