[mICQ] ICQ md5 login support

Robert Bartel r.bartel at gmx.net
Wed Apr 25 21:56:12 CEST 2007 

On Tue, Apr 24, 2007 at 23:26:24 +0200, Rüdiger Kuhlmann wrote:
> 
> >--[Robert Bartel]--<r.bartel at gmx.net>
> > Something else I noticed: the language and country codes used in the login
> > packet are the constant strings "de" and "DE". Don't know if that's a good
> > idea - could be used to detect and lock out micq clients by the login server?
> 
> mICQ sends a specific capability. There's nothing easier than singling it
> out from that. Also de/DE is a pretty valid combination for everyone using
> it from Germany. So no, I'd say that risc is neglectable.

Hm, that's right. Let's hope AOL will do nothing like that.

I was just curios because of the capitalized "DE". In the packet dumps from
the protocol site there was only a lowercase "us". Maybe they use the fields
to localize error urls or similar.
 
> There's also nl_langinfo (_NL_ADDRESS_COUNTRY_AB2) and
> nl_langinfo (_NL_ADDRESS_LANG_AB), which might be some more official source
> of the correct values. Unfortunately, the latter is often not set in locale
> definitions, and I couldn't find any case where it is different from what
> you used.

I didn't find those in my man pages. Would be better than the quick hack of
taking the locale string apart.

> Also, why fall back to en/us?

I thought English would be a nice default. But since this seems to have no
effect anyway, it doesn't matter. I'm using the de_DE locale here, so the
difference for me is only the lowercase "de" country code :)

> > Also I'm not understanding the last TLV in that packet, doesn't micq use the
> > server side information (SSI) for the contact list?
> 
> No, not quite. It compares it with its local list, but otherwise ignores it.
> Result: the possibility to add contacts without authorization.
> 
> > So maybe it should be 1 and not 0? While experimenting I left it away, and
> > the server didn't care - could still login successfully. The patch
> > comments it out - might be useful for testing.
> 
> You could try to check whether it makes a difference for contacts that you
> never authorized...

Leaving the TLV away seems to be the same as using 0 as value. With 1 I get a
syntax error from the server for changing the contact list - just after login
and when trying to add someone - so that the contact list stays empty. It
really enforces the server based contact list. Maybe sometime in the future
AOL wants to make it the default?

So for now we could leave it away to safe 5 bytes of traffic :)
Another idea would be to set it according to the global obeysbl option of
micq, but I never tried that one.

More information about the mICQ-List mailing list