Uploaded image for project: 'Smack'
  1. Smack
  2. SMACK-538

ParseRoster does not check the sender of the roster and for pending roster queries

    Details

    • Type: Bug
    • Status: Closed (View workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects versions: 3.4.1
    • Fix versions: 4.0.0
    • Components: Core
    • Labels:
      None

      Description

      Reported by Thijs Alkemade: parseRoster @ PacketParserUtils.java:415 does not check the sender of the roster at all but also does not care whether or not a roster query was pending. This means that anybody can add new roster contacts, with a chosen alias and chosen groups. I've verified that this works in Yaxim.

        Attachments

          Issue links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. (Migrated on 28 Oct 2020 08:31 UTC) SMACK-533 Smack should prevent IQ response spoofing

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. (Migrated on 28 Oct 2020 08:31 UTC) SMACK-773 Allow roster pushes from our full JID for backwards compatibility

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Assignee:
                Lars Noschinski
                Reporter:
                Florian Schmaus
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: