Upon receiving the presence stanza of type "subscribed" addressed to the user, the user's server MUST first verify that the contact is in the user's roster with either of the following states:
subscription='none' and ask='subscribe' , or
subscription='from' and ask='subscribe'.
If the contact is not in the user's roster with either of those states, the user's server MUST silently ignore the presence stanza of type "subscribed" (i.e., it MUST NOT route it to the user, modify the user's roster, or generate a roster push to the user's available resources).
The added contact is not being affected by the presence stanza of type "subscribed". The user that is sending the presence stanza of type "subscribed" is the one that is having a new roster item in his roster.
I'm moving this issue to 2.3.0 since this is not a roster exploit issue.
Intresting. I just upgraded to 2.2.1 and i am still experiencing the issue, if you have some time PM me and I can give you an account on my server so I can demonstrate for you. Hopefully I am not waisting all of your time on a wild goose chase
Actually I probably should have put this comment here since this is the major priority.
In my opinion,
org.jivesoftware.openfire.handler.PresenceSubscribeHandler line 141should be removed.
I am resolving this issue. The latest issue was fixed as part of OF-38.