From 00735e47597c877f16bdbcd57a7746568e881c99 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 22 Jul 2021 17:18:39 +0200
Subject: MUC: Fix logic for access to affiliation lists

Fixes https://prosody.im/security/advisory_20210722/

Backs out 4d7b925652d9
---
 spec/scansion/muc_whois_anyone_member.scs | 140 ++++++++++++++++++------------
 1 file changed, 83 insertions(+), 57 deletions(-)

(limited to 'spec')

diff --git a/spec/scansion/muc_whois_anyone_member.scs b/spec/scansion/muc_whois_anyone_member.scs
index 9a6f7e15..bbe067fd 100644
--- a/spec/scansion/muc_whois_anyone_member.scs
+++ b/spec/scansion/muc_whois_anyone_member.scs
@@ -1,101 +1,127 @@
 # MUC: Allow members to fetch the affiliation lists in open non-anonymous rooms
 
 [Client] Romeo
-	jid: romeo@localhost/MsliYo9C
+	jid: 4e2pm7er@localhost
 	password: password
 
 [Client] Juliet
-	jid: juliet@localhost/vJrUtY4Z
+	jid: qnjm5253@localhost
+	password: password
+
+[Client] Random
+	jid: iqizbcus@localhost
 	password: password
 
 -----
 
 Romeo connects
 
+Juliet connects
+
+Random connects
+
+# Romeo joins and creates the MUC
 Romeo sends:
-	<presence to='issue1230@conference.localhost/romeo'>
-	<x xmlns='http://jabber.org/protocol/muc'/>
+	<presence to="mcgczevx@conference.localhost/Romeo">
+		<x xmlns="http://jabber.org/protocol/muc"/>
 	</presence>
 
 Romeo receives:
-	<presence from='issue1230@conference.localhost/romeo'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<status code='201'/>
-	<item jid="${Romeo's JID}" role='moderator' affiliation='owner'/>
-	<status code='110'/>
-	</x>
+	<presence from="mcgczevx@conference.localhost/Romeo">
+		<x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false">
+			<item affiliation="owner" jid="${Romeo's full JID}" role="moderator"/>
+			<status code="110"/>
+			<status code="201"/>
+		</x>
 	</presence>
 
 Romeo receives:
-	<message from='issue1230@conference.localhost' type='groupchat'>
-	<subject/>
+	<message from="mcgczevx@conference.localhost" type="groupchat">
+		<subject/>
 	</message>
 
+# and configures it for private chat
 Romeo sends:
-	<iq id='lx3' type='set' to='issue1230@conference.localhost'>
-	<query xmlns='http://jabber.org/protocol/muc#owner'>
-	<x type='submit' xmlns='jabber:x:data'>
-	<field var='FORM_TYPE'>
-	<value>http://jabber.org/protocol/muc#roomconfig</value>
-	</field>
-	<field var='muc#roomconfig_whois'>
-	<value>anyone</value>
-	</field>
-	</x>
-	</query>
+	<iq type="set" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#owner">
+			<x type="submit" xmlns="jabber:x:data">
+				<field var="FORM_TYPE">
+					<value>http://jabber.org/protocol/muc#roomconfig</value>
+				</field>
+				<field var="muc#roomconfig_membersonly">
+					<value>1</value>
+				</field>
+				<field var="muc#roomconfig_whois">
+					<value>anyone</value>
+				</field>
+			</x>
+		</query>
 	</iq>
 
 Romeo receives:
-	<iq from='issue1230@conference.localhost' type='result' id='lx3'/>
+	<iq from="mcgczevx@conference.localhost" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" type="result"/>
 
 Romeo receives:
-	<message from='issue1230@conference.localhost' type='groupchat'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<status code='172'/>
-	</x>
+	<message from="mcgczevx@conference.localhost" type="groupchat">
+		<x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false">
+			<status code="104"/>
+			<status code="172"/>
+		</x>
 	</message>
 
-Juliet connects
+# Juliet is made a member
+Romeo sends:
+	<iq type="set" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="member" jid="${Juliet's JID}"/>
+		</query>
+	</iq>
 
+# Juliet can read affiliations
 Juliet sends:
-	<presence to='issue1230@conference.localhost/juliet'>
-	<x xmlns='http://jabber.org/protocol/muc'/>
-	</presence>
-
-Juliet receives:
-	<presence from='issue1230@conference.localhost/romeo'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<item jid="${Romeo's JID}" role='moderator' affiliation='owner'/>
-	</x>
-	</presence>
-
-Juliet receives:
-	<presence from='issue1230@conference.localhost/juliet'>
-	<x xmlns='http://jabber.org/protocol/muc#user'>
-	<status code='100'/>
-	<item jid="${Juliet's JID}" role='participant' affiliation='none'/>
-	<status code='110'/>
-	</x>
-	</presence>
+	<iq type="get" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="owner"/>
+		</query>
+	</iq>
 
 Juliet receives:
-	<message from='issue1230@conference.localhost' type='groupchat'>
-	<subject/>
-	</message>
+	<iq from="mcgczevx@conference.localhost" id="32d81574-e1dc-4221-b36d-4c44debb7c19" type="result">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="owner" jid="${Romeo's JID}"/>
+		</query>
+	</iq>
 
 Juliet sends:
-	<iq id='lx2' type='get' to='issue1230@conference.localhost'>
-	<query xmlns='http://jabber.org/protocol/muc#admin'>
-	<item affiliation='member'/>
-	</query>
+	<iq type="get" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="member"/>
+		</query>
 	</iq>
 
 Juliet receives:
-	<iq from='issue1230@conference.localhost' type='result' id='lx2'>
-	<query xmlns='http://jabber.org/protocol/muc#admin'/>
+	<iq from="mcgczevx@conference.localhost" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" type="result">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="member" jid="${Juliet's JID}"/>
+		</query>
 	</iq>
 
+# Others can't read affiliations
+Random sends:
+	<iq type="get" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" to="mcgczevx@conference.localhost">
+		<query xmlns="http://jabber.org/protocol/muc#admin">
+			<item affiliation="owner"/>
+		</query>
+	</iq>
+
+Random receives:
+	<iq from="mcgczevx@conference.localhost" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" type="error"/>
+
+
 Juliet disconnects
 
 Romeo disconnects
 
+Random disconnects
+
+# recording ended on 2021-07-23T12:09:48Z
-- 
cgit v1.2.3