qulogic/pidgin

Merged in yazawanico/main/release-2.x.y (pull request #293)
release-2.x.y
2017-12-08, Gary Kramlich
7f478dc7e64f
Parents 506eb507f450d121a4418d1f
Children 8fc5d8755588
Merged in yazawanico/main/release-2.x.y (pull request #293)

jabber.c: fix #17270, ignore STARTTLS when using BOSH.

Approved-by: Eion Robb
Approved-by: Gary Kramlich
1 files changed, 19 insertions(+), 20 deletions(-)
  • +19 -20
    libpurple/protocols/jabber/jabber.c
    • --- a/libpurple/protocols/jabber/jabber.c Sat Nov 25 15:52:27 2017 -0600
    +++ b/libpurple/protocols/jabber/jabber.c Fri Dec 08 02:01:18 2017 +0000
    @@ -220,33 +220,32 @@
    account = purple_connection_get_account(js->gc);
    -#if 0
    - /*
    - * This code DOES NOT EXIST, will never be enabled by default, and
    - * will never ever be supported (by me).
    - * It's literally *only* for developer testing.
    + /* It's a secure BOSH connection, just return FALSE and skip, without doing anything extra.
    + * XEP-0206 (XMPP Over BOSH): The client SHOULD ignore any Transport Layer Security (TLS)
    + * feature since BOSH channel encryption SHOULD be negotiated at the HTTP layer.
    + *
    + * Note: we are already receiving STARTTLS at this point from a SSL/TLS BOSH connection,
    + * so it is not necessary to check if purple_ssl_is_supported().
    */
    - {
    - const gchar *connection_security = purple_account_get_string(account, "connection_security", JABBER_DEFAULT_REQUIRE_TLS);
    - if (!purple_strequal(connection_security, "none") &&
    - purple_ssl_is_supported()) {
    - jabber_send_raw(js,
    - "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
    - return TRUE;
    - }
    + if (js->bosh && jabber_bosh_connection_is_ssl(js->bosh)) {
    + return FALSE;
    }
    -#else
    - if(purple_ssl_is_supported()) {
    +
    + /* Otherwise, it's a standard XMPP connection, or a HTTP (insecure) BOSH connection.
    + * We request STARTTLS for standard XMPP connections, but we do nothing for insecure
    + * BOSH connections, per XEP-0206. */
    + if(purple_ssl_is_supported() && !js->bosh) {
    jabber_send_raw(js,
    "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
    return TRUE;
    - } else {
    - purple_debug_warning("jabber", "No libpurple TLS/SSL support found.");
    }
    -#endif
    -
    +
    + /* It's an insecure standard XMPP connection, or an insecure BOSH connection, let's
    + * ignore STARTTLS even it's required by the server to prevent disabling HTTP BOSH
    + * entirely (sysadmin is responsible to provide HTTPS-only BOSH if security is required),
    + * and emit errors if encryption is required by the user. */
    starttls = xmlnode_get_child(packet, "starttls");
    - if(xmlnode_get_child(starttls, "required")) {
    + if(!js->bosh && xmlnode_get_child(starttls, "required")) {
    purple_connection_error_reason(js->gc,
    PURPLE_CONNECTION_ERROR_NO_SSL_SUPPORT,
    _("Server requires TLS/SSL, but no TLS/SSL support was found."));