instead of using the old baseName=smack appendix=project.name approach,
we are now going convention over configuration and renaming the
subprojects directories to the proper name.
Having a prefix is actually very helpful, because the resulting
libraries will be named like the subproject. And a core-4.0.0-rc1.jar is
not as explicit about what it actually *is* as a
smack-core-4.0.0-rc1.jar.
SMACK-265
in cases where a 'null' FromMatchesFilter was used and the processed
message would have a non-null 'from' attribute.
Thanks to sylvia for reporting this.
In the absence of checks on the from address, it is possible for other
clients to fake an answer to an IQ request.
This commit adds an IQReplyFilter, which drops all packets which are not
a valid reply to an IQ request. In particular, it checks for packet id,
from address and packet type.
Most(?) places waiting for a reply to an IQ request are converted to use
the IQReplyFilter.
For a discussion of the issues, see the thread "Spoofing of iq ids and
misbehaving servers" from 2014-01 on the jdev@jabber.org mailing list
and following discussion in February and March.
Smack contains two PacketFilters to filter on the from address.
FromContainsFilter simply does a substring match, which is problematic
as explained in SMACK-71. FromMatchesFilter partially fixes this
weakness, but it still uses String#startsWith to filter on bare
addresses. For example, when setup to match all JIDs with bare JID
"foo@example.co", it will still match "foo@example.com".
This commit changes FromMatchesFilter to test equality with the bare
from instead of startsWith with the full from.
Moreover, we convert all uses of FromContainsFilter to FromMatchesFilter
and remove FromContainsFilter. Additionally, the unused ToContainsFilter
(which as the same weaknesses) is removed, too.
Florian Schmaus
Lars Noschinski