Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Don't leak the real JIDs of participants when using mentions in semi-anonymous rooms. #1451
Converse is leaking real JIDs of participants in semi-anonymous MUCs when a moderator mentions anyone, it also will sometimes not include a "uri" attribute, even though the XEP states that this is required.
I've fixed both of these issues, though I'm not sure if this is a good way of doing so.
Thank you for this PR @lumi-me-not
I wrote to the standards list about this PR.
@iNPUTmice prefers to use real JIDs as far as possible, because nicknames aren't stable in MUCs. Anybody can take a nickname and thereby impersonate other users, or receive notifications for messages that were meant for someone else who used that nickname before them.
There is a workarounds for this, for example registering nicknames with MUCs, which @mwild1 and I worked on in the context of Prosody and Converse, see auto_register_muc_nickname, but it's not widely deployed.
I think in light of all this, this change should be made configurable, with the current behavior being the default. The configuration setting can be called something like
(On a different, but related note, we should add validation for configuration settings to check that valid values are supplied).