mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-24 18:22:24 -05:00
Merge pull request #1277 from Zash/xep-0223-check-event-origin
xep-0223: Add origin checking to security considerations
This commit is contained in:
commit
7c27ee5497
@ -25,6 +25,12 @@
|
|||||||
<supersededby/>
|
<supersededby/>
|
||||||
<shortname>N/A</shortname>
|
<shortname>N/A</shortname>
|
||||||
&stpeter;
|
&stpeter;
|
||||||
|
<revision>
|
||||||
|
<version>1.1.1</version>
|
||||||
|
<date>2023-03-23</date>
|
||||||
|
<initials>ka</initials>
|
||||||
|
<remark><p>Add notes about checking event origin (in reaction to CVE-2023-28686).</p></remark>
|
||||||
|
</revision>
|
||||||
<revision>
|
<revision>
|
||||||
<version>1.1</version>
|
<version>1.1</version>
|
||||||
<date>2018-03-28</date>
|
<date>2018-03-28</date>
|
||||||
@ -245,6 +251,7 @@
|
|||||||
|
|
||||||
<section1 topic='Security Considerations' anchor='security'>
|
<section1 topic='Security Considerations' anchor='security'>
|
||||||
<p>Since private data is to be stored in a mechanism originally intended to <em>publish</em> data, it is REQUIRED for entities to ensure that the restrictive <publish-options/> will actually be honored by the server by performing the feature discovery procedure as specified in <link url='#support'>Determining Support</link>. If an entity using that procedure finds that the server does not support <publish-options/>, it MUST NOT store private data in PubSub, unless it can ensure privacy of the data with other means.</p>
|
<p>Since private data is to be stored in a mechanism originally intended to <em>publish</em> data, it is REQUIRED for entities to ensure that the restrictive <publish-options/> will actually be honored by the server by performing the feature discovery procedure as specified in <link url='#support'>Determining Support</link>. If an entity using that procedure finds that the server does not support <publish-options/>, it MUST NOT store private data in PubSub, unless it can ensure privacy of the data with other means.</p>
|
||||||
|
<p>The configuration of a local pubsub node does not prevent an attacker or a contact with a misconfigured node from sending pubsub events with the same payload. Therefore clients MUST verify that the ‘from’ attribute on incoming event messages is either absent or equal to their own account JID.</p>
|
||||||
<p>The Security Considerations specified in <cite>XEP-0060</cite> and <cite>XEP-0163</cite> need to be taken into account.</p>
|
<p>The Security Considerations specified in <cite>XEP-0060</cite> and <cite>XEP-0163</cite> need to be taken into account.</p>
|
||||||
</section1>
|
</section1>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user