Message delay element can be forged
Hello forum users/developers,
I've just realized that the
<delay/> element in a message (or in any other stanza for what is worth) can be forged by clients.
The OfflineMessages plugin adds its own
<delay/> element, possibly resulting in a duplicate delay.
Is this intended behavior? Should the delay element be added exclusively by servers?
Added by Wojciech Kapcia almost 3 years ago
In the Security considerations it's stated:
Absent cryptographic signing of stanzas and parts of stanzas, it is possible for delayed delivery notations to be forged. For example, the originator of a message (or the originator's server) could include a notation that makes it appear as if delivery of the message was delayed by the recipient's server. The same is true of delayed delivery notations putatively added by a Multi-User Chat room, which could be forged by the message originator, the originator's server, the recipient's server, or the server that hosts the chatroom service. Although the recipient's server SHOULD discard a delayed delivery notation whose 'from' attribute matches the server's JabberID (or return a error to the originator), this policy does not guard against forging of notations putatively from other entities (such as a chatroom hosted at a different trust domain). Therefore, a recipient SHOULD NOT rely on delayed delivery notations to provide a completely accurate representation of the delivery path or timing of a stanza it has received.
Therefore I think Tigase is more-or-less in line with the specification. Processing doesn't match delayed delivery notation whose 'from' attribute matches the server's JabberID hence I think we should not drop existing