[JDEV] [SECURITY] Remote roster manipulation bug in various Jabber clients

[Tijl Houtbeckers]

Peter Saint-Andre <stpeter at jabber.org> wrote on 3-7-2003 18:27:22:
>
>This is a server bug. With what server did you test this? AFAIK, both
>jabberd 1.4.* and the Jabber Inc. server do the right thing here.
>
>The correct behavior is as follows (I have added this text to my 
>working copy of draft-ietf-xmpp-im):
>
>  A server MUST ignore any 'to' address on a roster "set", and 
>  MUST treat any roster "set" as applying to the sender. For added 
>  safety, a client SHOULD check the "from" address of a roster "push" 
>  to ensure that it is from a trusted source; specifically, the stanza 
>  should have no 'from' attribute (i.e., implicitly from the server) 
>  or the JID contained in the 'from' attribute should match the user's 
>  bare JID or full JID; otherwise, the client SHOULD ignore the roster 
>  "push".

I assume it's clear in the document that this does not just apply to 
client connections but also S2S connections (and do the server named 
here implement this)? (it's hard to tell without the context of the 
document) 

It's still an odd requirment though. I could not, for example, write a 
component that maintains it's own seperate roster and query it for it. 
I know this hasn't been done so far, but espc. for components that have 
roster-like functionality but no presence (email addressbook?) it 
*could* be nice. But I guess considering the security issues it should 
be done differently. 


-- 
Tijl Houtbeckers
Software Engineer @ Splendo
The Netherlands