[jitsi-dev] @ is stripped from password in XMPP


#1

Hello,

I tried to raise awareness for this issue some time ago and was turned
down for inobvious reasons.

I still cannot authenticate to my Jabber server because Jitsi removes all
occuranced of the @ character from the password prior to authentication.

I see no reason whatsoever for this behaviour.

-nik

···

--
Wer den Grünkohl nicht ehrt, ist der Mettwurst nicht wert!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#2

I'm not aware of any prohibition on the '@' character in passwords
(e.g., in SASLprep).

Peter

- --
Peter Saint-Andre
https://stpeter.im/

···

On 3/23/13 5:43 PM, Dominik George wrote:

Hello,

I tried to raise awareness for this issue some time ago and was
turned down for inobvious reasons.

I still cannot authenticate to my Jabber server because Jitsi
removes all occuranced of the @ character from the password prior
to authentication.

I see no reason whatsoever for this behaviour.


#3

Hello,

I tried to raise awareness for this issue some time ago and was turned
down for inobvious reasons.

I don't think that's a fair summary :). Here's how I remember it:

Hey Nik,

Hi,

using the latest nightly build, I cannot authenticate to my Jabber server.

My password contains the @ character and, sniffing on the connection on
the server-side, this @ is never sent. It seems to be stripped from the
password before Jitsi sends it on the wire.

I am pretty sure this is a bug.

I just tried using an @ in various XMPP passwords and didn't have any
issues.

I do admit we didn't continue chasing this but we are simply unable to
reproduce it (and I still don't think that "turned down for inobvious
reasons is accurate).

Anyways, to eliminate suspicion, could you please try and use a password
containing the @ character on other servers? Gmail and jit.si would be
worth trying.

Cheers,
Emil

···

On 24.03.13, 00:43, Dominik George wrote:

On 16.09.12, 20:11, Dominik George wrote:

On 16.09.12, 20:22, Emil Ivov wrote:

--
https://jitsi.org


#4

Hi stpeter,

I'm not aware of any prohibition on the '@' character in passwords
(e.g., in SASLprep).

I cannot say anythin about where this happens. What I observe is:

- Set my pasword to foob@r on the server
- Try to login with password foob@r from Jitsi
- Sniff network traffic on server

The result is that the password the server receives is foobr rather than
foob@r.

This is my observation, and I double-checked it, so I assume it is
right.

- -nik

- --
<burny> Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
        und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#5

Hi all,

not sure if this is a smart or stupid feature request, but
in my case (I use 4 xmpp accounts in jitsi) it's rather annoying
having to set the status for all 4 accounts individually,
if I want to use a custom status.

Requesting: Allow custom status for all accounts. (just display
them below the normal status options, similar to the way they are
displayed in the single account).

Should I create a ticket for this request?

Best,
steve


#6

Hi,

Anyways, to eliminate suspicion, could you please try and use a password
containing the @ character on other servers? Gmail and jit.si would be
worth trying.

I just registered an account natureshadow on jit.si with password
test@foo. I then tried to add the account to Jitsi and cannot login:

  SASL authentication DIGEST-MD5 failed: not-authorized

-nik

···

--
<burny> Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
        und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#7

Hi all,

not sure if this is a smart or stupid feature request, but
in my case (I use 4 xmpp accounts in jitsi) it's rather annoying
having to set the status for all 4 accounts individually,
if I want to use a custom status.

Requesting: Allow custom status for all accounts. (just display
them below the normal status options, similar to the way they are
displayed in the single account).

Sounds reasonable. I actually think this would make for a great micro
project that we could use for student evaluation on occasion.

Should I create a ticket for this request?

That would be nice, thank you.

···

On 24.03.13, 21:49, Steve wrote:

Best,
steve

--
https://jitsi.org


#8

Hmm ... just logged with this (hope you don't mind) and had no issues.
Do you have the problem with other XMPP clients?

Emil

···

On 25.03.13, 00:08, Dominik George wrote:

Hi,

Anyways, to eliminate suspicion, could you please try and use a password
containing the @ character on other servers? Gmail and jit.si would be
worth trying.

I just registered an account natureshadow on jit.si with password
test@foo. I then tried to add the account to Jitsi and cannot login:

  SASL authentication DIGEST-MD5 failed: not-authorized

--
https://jitsi.org


#9

Hi,

my last guess was correct!

The problem is not in the authentication or network code - it is the
input field which behaves oddly in a de_DE locale.

Entering the password containing the @ character in the password field
directly results in it being missing in the password (although a
character is added to the field), but I could successfully type the
password in another window and paste it into the password field.
Authentication then succeeded.

The @ character appears without any problems in the JID input field.

-nik

···

--
Wer den Grünkohl nicht ehrt, ist der Mettwurst nicht wert!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#10

I hope the explanation is understandable: http://java.net/jira/browse/JITSI-1115

···

Should I create a ticket for this request?

That would be nice, thank you.


#11

So very weird. A quick googling didn't reveal any similar issues with
JPasswordField and localisation. Is anyone else having this problem?

Emil

···

On 25.03.13, 00:46, Dominik George wrote:

Hi,

my last guess was correct!

The problem is not in the authentication or network code - it is the
input field which behaves oddly in a de_DE locale.

Entering the password containing the @ character in the password field
directly results in it being missing in the password (although a
character is added to the field), but I could successfully type the
password in another window and paste it into the password field.
Authentication then succeeded.

The @ character appears without any problems in the JID input field.

--
https://jitsi.org


#12

The problem is not in the authentication or network code - it is the
input field which behaves oddly in a de_DE locale.

Entering the password containing the @ character in the password field
directly results in it being missing in the password (although a
character is added to the field), but I could successfully type the
password in another window and paste it into the password field.
Authentication then succeeded.

The @ character appears without any problems in the JID input field.

What OS, version, desktop manager, etc. are you using?

So very weird. A quick googling didn't reveal any similar issues with
JPasswordField and localisation. Is anyone else having this problem?

No, working fine on Win7 x64 en, with Jitsi x32 de.

Ingo


#13

I can reproduce that. Behaves exactly as described.
I am running kde, latest jitsi, german language

- --
Yannik Völker

.


#14

I forgot to mention that I am using the neo2 keyboard layout.

- --
Yannik Völker

···

On 28.03.2013 17:43, Yannik Völker wrote:

I can reproduce that. Behaves exactly as described. I am running
kde, latest jitsi, german language


#15

I can reproduce that. Behaves exactly as described. I am running
kde, latest jitsi, german language

I forgot to mention that I am using the neo2 keyboard layout.

Do you have any other Java Swing-based application with a password field at hand or could you perhaps create a simple form on your own? Just to try whether it’s a Java/OS/Keyboard-Layout combination or really something inside Jitsi.

Ingo


#16

Same Problem with another app…
can someone tell me whom to report that bug to?

- --
Yannik Völker

···

On 28.03.2013 22:09, Ingo Bauersachs wrote:

I can reproduce that. Behaves exactly as described. I am
running kde, latest jitsi, german language

I forgot to mention that I am using the neo2 keyboard layout.

Do you have any other Java Swing-based application with a password
field at hand or could you perhaps create a simple form on your
own? Just to try whether it’s a Java/OS/Keyboard-Layout combination
or really something inside Jitsi.

Ingo


#17

I can reproduce that. Behaves exactly as described. I am
running kde, latest jitsi, german language

I forgot to mention that I am using the neo2 keyboard layout.

Do you have any other Java Swing-based application with a password
field at hand or could you perhaps create a simple form on your
own? Just to try whether it’s a Java/OS/Keyboard-Layout combination
or really something inside Jitsi.

Ingo

Same Problem with another app…
can someone tell me whom to report that bug to?

Thanks for the testing, we're relieved to hear it's not Jitsi itself.

Maybe try to isolate which component is causing the failure (normal keyboard, different desktop manager, Oracle's JRE instead of OpenJDK, ...) then report to the project you think is the root cause. My best guess would be your unusual keyboard layout...

Ingo