aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2021-07-22 17:18:39 +0200
committerKim Alvefur <zash@zash.se>2021-07-22 17:18:39 +0200
commit00735e47597c877f16bdbcd57a7746568e881c99 (patch)
treec6d4269946054696d7ab098fb2db614ad9bec77f
parent59d820880f0421041b72b73d1fe52aa64adce43d (diff)
downloadprosody-00735e47597c877f16bdbcd57a7746568e881c99.tar.gz
prosody-00735e47597c877f16bdbcd57a7746568e881c99.zip
MUC: Fix logic for access to affiliation lists0.11.10
Fixes https://prosody.im/security/advisory_20210722/ Backs out 4d7b925652d9
-rw-r--r--plugins/muc/muc.lib.lua2
-rw-r--r--spec/scansion/muc_whois_anyone_member.scs140
2 files changed, 84 insertions, 58 deletions
diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua
index 037baa37..f037c4f6 100644
--- a/plugins/muc/muc.lib.lua
+++ b/plugins/muc/muc.lib.lua
@@ -976,7 +976,7 @@ function room_mt:handle_admin_query_get_command(origin, stanza)
-- e.g. an admin can't ask for a list of owners
local affiliation_rank = valid_affiliations[affiliation or "none"];
if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank)
- or (self:get_whois() == "anyone") then
+ or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then
local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin");
for jid in self:each_affiliation(_aff or "none") do
local nick = self:get_registered_nick(jid);
diff --git a/spec/scansion/muc_whois_anyone_member.scs b/spec/scansion/muc_whois_anyone_member.scs
index 9a6f7e15..bbe067fd 100644
--- a/spec/scansion/muc_whois_anyone_member.scs
+++ b/spec/scansion/muc_whois_anyone_member.scs
@@ -1,101 +1,127 @@
# MUC: Allow members to fetch the affiliation lists in open non-anonymous rooms
[Client] Romeo
- jid: romeo@localhost/MsliYo9C
+ jid: 4e2pm7er@localhost
password: password
[Client] Juliet
- jid: juliet@localhost/vJrUtY4Z
+ jid: qnjm5253@localhost
+ password: password
+
+[Client] Random
+ jid: iqizbcus@localhost
password: password
-----
Romeo connects
+Juliet connects
+
+Random connects
+
+# Romeo joins and creates the MUC
Romeo sends:
- <presence to='issue1230@conference.localhost/romeo'>
- <x xmlns='http://jabber.org/protocol/muc'/>
+ <presence to="mcgczevx@conference.localhost/Romeo">
+ <x xmlns="http://jabber.org/protocol/muc"/>
</presence>
Romeo receives:
- <presence from='issue1230@conference.localhost/romeo'>
- <x xmlns='http://jabber.org/protocol/muc#user'>
- <status code='201'/>
- <item jid="${Romeo's JID}" role='moderator' affiliation='owner'/>
- <status code='110'/>
- </x>
+ <presence from="mcgczevx@conference.localhost/Romeo">
+ <x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false">
+ <item affiliation="owner" jid="${Romeo's full JID}" role="moderator"/>
+ <status code="110"/>
+ <status code="201"/>
+ </x>
</presence>
Romeo receives:
- <message from='issue1230@conference.localhost' type='groupchat'>
- <subject/>
+ <message from="mcgczevx@conference.localhost" type="groupchat">
+ <subject/>
</message>
+# and configures it for private chat
Romeo sends:
- <iq id='lx3' type='set' to='issue1230@conference.localhost'>
- <query xmlns='http://jabber.org/protocol/muc#owner'>
- <x type='submit' xmlns='jabber:x:data'>
- <field var='FORM_TYPE'>
- <value>http://jabber.org/protocol/muc#roomconfig</value>
- </field>
- <field var='muc#roomconfig_whois'>
- <value>anyone</value>
- </field>
- </x>
- </query>
+ <iq type="set" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" to="mcgczevx@conference.localhost">
+ <query xmlns="http://jabber.org/protocol/muc#owner">
+ <x type="submit" xmlns="jabber:x:data">
+ <field var="FORM_TYPE">
+ <value>http://jabber.org/protocol/muc#roomconfig</value>
+ </field>
+ <field var="muc#roomconfig_membersonly">
+ <value>1</value>
+ </field>
+ <field var="muc#roomconfig_whois">
+ <value>anyone</value>
+ </field>
+ </x>
+ </query>
</iq>
Romeo receives:
- <iq from='issue1230@conference.localhost' type='result' id='lx3'/>
+ <iq from="mcgczevx@conference.localhost" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" type="result"/>
Romeo receives:
- <message from='issue1230@conference.localhost' type='groupchat'>
- <x xmlns='http://jabber.org/protocol/muc#user'>
- <status code='172'/>
- </x>
+ <message from="mcgczevx@conference.localhost" type="groupchat">
+ <x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false">
+ <status code="104"/>
+ <status code="172"/>
+ </x>
</message>
-Juliet connects
+# Juliet is made a member
+Romeo sends:
+ <iq type="set" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost">
+ <query xmlns="http://jabber.org/protocol/muc#admin">
+ <item affiliation="member" jid="${Juliet's JID}"/>
+ </query>
+ </iq>
+# Juliet can read affiliations
Juliet sends:
- <presence to='issue1230@conference.localhost/juliet'>
- <x xmlns='http://jabber.org/protocol/muc'/>
- </presence>
-
-Juliet receives:
- <presence from='issue1230@conference.localhost/romeo'>
- <x xmlns='http://jabber.org/protocol/muc#user'>
- <item jid="${Romeo's JID}" role='moderator' affiliation='owner'/>
- </x>
- </presence>
-
-Juliet receives:
- <presence from='issue1230@conference.localhost/juliet'>
- <x xmlns='http://jabber.org/protocol/muc#user'>
- <status code='100'/>
- <item jid="${Juliet's JID}" role='participant' affiliation='none'/>
- <status code='110'/>
- </x>
- </presence>
+ <iq type="get" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost">
+ <query xmlns="http://jabber.org/protocol/muc#admin">
+ <item affiliation="owner"/>
+ </query>
+ </iq>
Juliet receives:
- <message from='issue1230@conference.localhost' type='groupchat'>
- <subject/>
- </message>
+ <iq from="mcgczevx@conference.localhost" id="32d81574-e1dc-4221-b36d-4c44debb7c19" type="result">
+ <query xmlns="http://jabber.org/protocol/muc#admin">
+ <item affiliation="owner" jid="${Romeo's JID}"/>
+ </query>
+ </iq>
Juliet sends:
- <iq id='lx2' type='get' to='issue1230@conference.localhost'>
- <query xmlns='http://jabber.org/protocol/muc#admin'>
- <item affiliation='member'/>
- </query>
+ <iq type="get" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" to="mcgczevx@conference.localhost">
+ <query xmlns="http://jabber.org/protocol/muc#admin">
+ <item affiliation="member"/>
+ </query>
</iq>
Juliet receives:
- <iq from='issue1230@conference.localhost' type='result' id='lx2'>
- <query xmlns='http://jabber.org/protocol/muc#admin'/>
+ <iq from="mcgczevx@conference.localhost" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" type="result">
+ <query xmlns="http://jabber.org/protocol/muc#admin">
+ <item affiliation="member" jid="${Juliet's JID}"/>
+ </query>
</iq>
+# Others can't read affiliations
+Random sends:
+ <iq type="get" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" to="mcgczevx@conference.localhost">
+ <query xmlns="http://jabber.org/protocol/muc#admin">
+ <item affiliation="owner"/>
+ </query>
+ </iq>
+
+Random receives:
+ <iq from="mcgczevx@conference.localhost" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" type="error"/>
+
+
Juliet disconnects
Romeo disconnects
+Random disconnects
+
+# recording ended on 2021-07-23T12:09:48Z