Project

General

Profile

Privacy lists XEP-0016 "black hole"

Igor Khomenko
Added over 3 years ago

Hi there,

I guess I found a "black hole" effect with Privacy lists XEP-0016

Here is the XEP-0016 specification

http://xmpp.org/extensions/xep-0016.html#protocol-error

interesting the following part:

For message stanzas, the server SHOULD return an error, which SHOULD be <service-unavailable/>. [8]
..
8. Until version 1.5 of this document (therefore also in RFC 6121), it was recommended to silently ignore message stanzas, which unfortunately resulted in a delivery "black hole" regarding message stanzas.

So it works okay when 2 users are online - User1 receives en error

but

if User2 is offline then User1 receives nothing

From my understanding it happens because the 'filter' method is used in this case

https://projects.tigase.org/projects/tigase-server/repository/revisions/master/entry/src/main/java/tigase/xmpp/impl/JabberIqPrivacy.java#L118

so you just removes silently the packet from queue

It's better to generate an error stanza here as well and return it back to the sender

what do you think?


Replies (6)

Added by Wojciech Kapcia TigaseTeam over 3 years ago

Thank you for the report, I've created issue #3679 and added you as a watcher.

Added by Igor Khomenko over 3 years ago

Thank you,

looks like we don't have this issue in http://xmpp.org/extensions/xep-0191.html

so XEP-0016 is affected only

Added by Igor Khomenko about 3 years ago

Looks like it's fixed

please update https://projects.tigase.org/issues/3679

Added by Igor Khomenko almost 3 years ago

Sorry, it's still here

I saw some changes

https://projects.tigase.org/projects/tigase-server/repository/changes/src/main/java/tigase/xmpp/impl/JabberIqPrivacy.java?rev=master

but it still doesn't work

The main issues is with this check for null:

    @Override
    public void filter(Packet packet, XMPPResourceConnection session,
                       NonAuthUserRepository repo, Queue<Packet> results) {
        if ((session == null) ||!session.isAuthorized() || (results == null) || (results
                .size() == 0)) {

so we even can't check the recipient's privacy list when he is offline

Added by Igor Khomenko almost 3 years ago

Yeah, as I see it's really hard to have an access to the UserRepository without a session...

Added by Wojciech Kapcia TigaseTeam almost 3 years ago

This is correct, and given current limitations (no session and limited NonAuthUserRepository) it can't be done now.

    (1-6/6)