Openfire (master)

• 

  dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 01 Apr 2026 c4f4b08ced9c52f83e391f6fde1dd47b631fde1b

  chore(deps): bump org.apache.maven.plugins:maven-gpg-plugin
  Bumps [org.apache.maven.plugins:maven-gpg-plugin](https://github.com/apache/maven-gpg-plugin) from 3.2.7 to 3.2.8.
  - [Release notes](https://github.com/apache/maven-gpg-plugin/releases)
  - [Commits](https://github.com/apache/maven-gpg-plugin/compare/maven-gpg-plugin-3.2.7...maven-gpg-plugin-3.2.8)
  
  ---
  updated-dependencies:
  - dependency-name: org.apache.maven.plugins:maven-gpg-plugin
    dependency-version: 3.2.8
    dependency-type: direct:production
    update-type: version-update:semver-patch
  ...
  
  Signed-off-by: dependabot[bot] <support@github.com>

  • plugins/pom.xml (version c4f4b08ced9c52f83e391f6fde1dd47b631fde1b)
  • pom.xml (version c4f4b08ced9c52f83e391f6fde1dd47b631fde1b)
• 

  copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> 26 Mar 2026 da3db2c96348953ba3c78d1a41b5bddfebbed936

  OF-3217: Exclude data forms without FORM_TYPE='hidden' from ver hash per XEP-0115 §5.4 item 3f

  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManager.java (version da3db2c96348953ba3c78d1a41b5bddfebbed936)
  • xmppserver/src/test/java/org/jivesoftware/util/EntityCapabilitiesManagerTest.java (version da3db2c96348953ba3c78d1a41b5bddfebbed936)
• 

  copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> 26 Mar 2026 3fb5f16cc71cf20cac88139817f5c4a63181f0e4

  OF-3218: Validate disco#info response well-formedness per XEP-0115 §5.4 items 3c-3e

  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManager.java (version 3fb5f16cc71cf20cac88139817f5c4a63181f0e4)
  • xmppserver/src/test/java/org/jivesoftware/util/EntityCapabilitiesManagerTest.java (version 3fb5f16cc71cf20cac88139817f5c4a63181f0e4)
• 

  copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> 26 Mar 2026 1cd99c640818491e16e65534ce332f1a2c30c184

  OF-3216: Include 'node' attribute in disco#info requests per XEP-0115 §6.2

  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesListener.java (version 1cd99c640818491e16e65534ce332f1a2c30c184)
  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManager.java (version 1cd99c640818491e16e65534ce332f1a2c30c184)
  • xmppserver/src/test/java/org/jivesoftware/util/EntityCapabilitiesManagerTest.java (version 1cd99c640818491e16e65534ce332f1a2c30c184)
• 

  Guus der Kinderen 26 Mar 2026 94e9119223a3fe61cb396954badf32d085edec86

  OF-3218: Guard against forms with a FORM_TYPE but no value
  I don't think this is explicitly defined in a XEP. The closest definition is that of handling forms without a FORM_TYPE. We'll treat these the same: ignore them (but do not stop processing).

  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManager.java (version 94e9119223a3fe61cb396954badf32d085edec86)
• 

  Guus der Kinderen 26 Mar 2026 b296a992686a9a617c80903aae8268f98dfb083c

  OF-3218: Restrict 'well-formed' to XEP definition
  Restrict access to this clearly internal method (to avoid generic use) and fail on a stanza that doesn't even contain relevant data.

  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManager.java (version b296a992686a9a617c80903aae8268f98dfb083c)
  • xmppserver/src/test/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManagerTest.java (version b296a992686a9a617c80903aae8268f98dfb083c)
• 

  Guus der Kinderen 26 Mar 2026 35901a440b65ef4aa8da2e5c5207aa678c0486fd

  Adjust code comment to better reflect implementation

  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManager.java (version 35901a440b65ef4aa8da2e5c5207aa678c0486fd)
• 

  Guus der Kinderen 26 Mar 2026 699cc55a2f897af0a9d05f1421faa8a9b1146d4b

  OF-3218: Guard against malformed 'feature' elements
  It may be more proper to error hard in these cases, but the more pragmatic approach is to log but otherwise ignore them. It's unlikely that we'll encounter this issue in practice, as such stanzas would likely introduce problems in a lot of different places.

  • xmppserver/src/main/java/org/jivesoftware/openfire/entitycaps/EntityCapabilitiesManager.java (version 699cc55a2f897af0a9d05f1421faa8a9b1146d4b)
• 

  copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> 26 Mar 2026 a9d07efd8c87d3786f05bae138a8be8115b42f96

  OF-3221: Omit redundant 'ack' attribute in BOSH responses (XEP-0124 §9.1)
  Per XEP-0124 §9.1, the connection manager SHOULD NOT include an 'ack'
  attribute in any response if the value would be the 'rid' of the request
  being responded to (the common steady-state case).
  
  asBodyText() and createEmptyBody() now accept the responding-to RID and
  suppress the 'ack' attribute when it would be identical. A deprecated
  no-rid overload of createEmptyBody() is retained for callers without a
  specific request context.

  • xmppserver/src/main/java/org/jivesoftware/openfire/http/HttpSession.java (version a9d07efd8c87d3786f05bae138a8be8115b42f96)
• 

  copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> 26 Mar 2026 d1d8454aede6667a7d58d681477808d1cfe3e46e

  OF-3220: Parse client 'ack' attribute from BOSH request bodies (XEP-0124 §9.2)
  Add HttpBindBody.getAck() to expose the client's acknowledged RID. When
  present, acknowledged entries are pruned from the sentElements retransmission
  buffer rather than relying solely on a size cap.
  
  Unit tests added in HttpBindBodyTest covering getAck() (present/absent/
  invalid/negative), getRid(), and isPoll() variants.

  • xmppserver/src/main/java/org/jivesoftware/openfire/http/HttpBindBody.java (version d1d8454aede6667a7d58d681477808d1cfe3e46e)
  • xmppserver/src/main/java/org/jivesoftware/openfire/http/HttpSession.java (version d1d8454aede6667a7d58d681477808d1cfe3e46e)
  • xmppserver/src/test/java/org/jivesoftware/openfire/http/HttpBindBodyTest.java (version d1d8454aede6667a7d58d681477808d1cfe3e46e)
• 

  copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> 26 Mar 2026 8d88e4f7479953578c85e079c1293df11f508777

  OF-3219: Overactivity check allows pause/terminate exception (XEP-0124 §11)
  Per XEP-0124 §11, clients MAY send one additional simultaneous request if it
  is a pause or terminate request. Previously the check fired at
  pendingConnections >= maxRequests unconditionally, rejecting valid pause/terminate
  requests from clients already at the limit.

  • xmppserver/src/main/java/org/jivesoftware/openfire/http/HttpSession.java (version 8d88e4f7479953578c85e079c1293df11f508777)
• 

  Guus der Kinderen 26 Mar 2026 c86a9108df454e12b692035dbd65d69d180b6623

  OF-3213: Fix group removal bug and improve user groups page
  Resolves an issue preventing users from being removed from groups and enhances the user groups page for more reliable pagination, search, and CSRF protection.

  • xmppserver/src/main/webapp/user-groups.jsp (version c86a9108df454e12b692035dbd65d69d180b6623)