Mercurial > pidgin3 / changeset

changeset

Merged in yazawanico/main/release-2.x.y (pull request #293) release-2.x.y

Fri, 08 Dec 2017 02:01:18 +0000

author
Gary Kramlich <grim@reaperworld.com>
date
Fri, 08 Dec 2017 02:01:18 +0000
branch
release-2.x.y
changeset 38795
7f478dc7e64f
parent 38790
506eb507f450 (current diff)
parent 38794
d121a4418d1f (diff)
child 38796
8fc5d8755588

Merged in yazawanico/main/release-2.x.y (pull request #293)

jabber.c: fix #17270, ignore STARTTLS when using BOSH.

Approved-by: Eion Robb <eionrobb@gmail.com>
Approved-by: Gary Kramlich <grim@reaperworld.com>

--- a/libpurple/protocols/jabber/jabber.c	Sat Nov 25 15:52:27 2017 -0600
+++ b/libpurple/protocols/jabber/jabber.c	Fri Dec 08 02:01:18 2017 +0000
@@ -220,33 +220,32 @@
 
 	account = purple_connection_get_account(js->gc);
 
-#if 0
-	/*
-	 * This code DOES NOT EXIST, will never be enabled by default, and
-	 * will never ever be supported (by me).
-	 * It's literally *only* for developer testing.
+	/* It's a secure BOSH connection, just return FALSE and skip, without doing anything extra.
+	 * XEP-0206 (XMPP Over BOSH): The client SHOULD ignore any Transport Layer Security (TLS)
+	 * feature since BOSH channel encryption SHOULD be negotiated at the HTTP layer.
+	 *
+	 * Note: we are already receiving STARTTLS at this point from a SSL/TLS BOSH connection,
+	 * so it is not necessary to check if purple_ssl_is_supported().
 	 */
-	{
-		const gchar *connection_security = purple_account_get_string(account, "connection_security", JABBER_DEFAULT_REQUIRE_TLS);
-		if (!purple_strequal(connection_security, "none") &&
-				purple_ssl_is_supported()) {
-			jabber_send_raw(js,
-					"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
-			return TRUE;
-		}
+	if (js->bosh && jabber_bosh_connection_is_ssl(js->bosh)) {
+		return FALSE;
 	}
-#else
-	if(purple_ssl_is_supported()) {
+
+	/* Otherwise, it's a standard XMPP connection, or a HTTP (insecure) BOSH connection.
+	 * We request STARTTLS for standard XMPP connections, but we do nothing for insecure
+	 * BOSH connections, per XEP-0206. */
+	if(purple_ssl_is_supported() && !js->bosh) {
 		jabber_send_raw(js,
 				"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1);
 		return TRUE;
-	} else {
-		purple_debug_warning("jabber", "No libpurple TLS/SSL support found.");
 	}
-#endif
-
+
+	/* It's an insecure standard XMPP connection, or an insecure BOSH connection, let's
+	 * ignore STARTTLS even it's required by the server to prevent disabling HTTP BOSH
+	 * entirely (sysadmin is responsible to provide HTTPS-only BOSH if security is required),
+	 * and emit errors if encryption is required by the user. */
 	starttls = xmlnode_get_child(packet, "starttls");
-	if(xmlnode_get_child(starttls, "required")) {
+	if(!js->bosh && xmlnode_get_child(starttls, "required")) {
 		purple_connection_error_reason(js->gc,
 				PURPLE_CONNECTION_ERROR_NO_SSL_SUPPORT,
 				_("Server requires TLS/SSL, but no TLS/SSL support was found."));

Mercurial Repository: pidgin3

mercurial