Opened 6 years ago

Last modified 3 years ago

#15669 new defect

XMPP: Unsaved but cached password should be cleared on invalid-authzid

Reported by: xnyhps Owned by: deryni
Milestone: Component: XMPP
Version: 2.10.7 Keywords: invalid-authzid jabber.org
Cc:

Description (last modified by Robby)

When using an incorrect password on jabber.org, it returns invalid-authzid instead of what should be not-authorized.

If Pidgin is set to not save a password, then the password is still cached in memory. Only on not-authorized, this cached password is automatically removed (causing a reprompt). On any other auth-related error the cached password is kept. The only way to remove this password is by entering a value in the account's preferences and clear it again.

Because Pidgin doesn't support using an authcid different from an authzid, I think it's fair to treat invalid-authzid as a reason to clear the cached password.

Attachments (3)

authzid.diff (720 bytes) - added by xnyhps 6 years ago.
pidgin-clear_pass.patch (579 bytes) - added by boyan 3 years ago.
Clear password on any error from the jabber server
pidgin-jabber_clear_pass.patch (666 bytes) - added by boyan 3 years ago.
Clear password on error from jabber server, v2

Download all attachments as: .zip

Change History (7)

Changed 6 years ago by xnyhps

comment:1 Changed 6 years ago by xnyhps

I've attached a patch to fix this issue.

comment:2 Changed 6 years ago by Robby

  • Description modified (diff)

:P

comment:3 Changed 3 years ago by boyan

I've tried this patch, but I'm receiving different error: jabber: Recv (ssl)(80): <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><malformed-request/></failure> connection: Connection error on 0xxxxxxxxx (reason: 2 description: Authentication Failure) I guess this is "malformed-request". I've modified the patch from comment 1 to clear the password on every error.

Changed 3 years ago by boyan

Clear password on any error from the jabber server

Changed 3 years ago by boyan

Clear password on error from jabber server, v2

comment:4 Changed 3 years ago by boyan

Previous patch would clear password at any error. I think this one is more correct (pidgin-jabber_clear_pass.patch).

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!