def test(q, bus, conn, stream): # Gabble asks for the roster; the server sends back an empty roster. event = q.expect('stream-iq', query_ns=ns.ROSTER) acknowledge_iq(stream, event.stanza) pairs = expect_contact_list_signals(q, bus, conn, ['stored']) stored = check_contact_list_signals(q, bus, conn, pairs.pop(0), cs.HT_LIST, 'stored', []) # The server sends us a roster push without an id=''. WTF! iq = make_roster_push(stream, jid, 'both') del iq['id'] stream.send(iq) h = conn.RequestHandles(cs.HT_CONTACT, [jid])[0] q.expect_many( EventPattern('dbus-signal', signal='MembersChanged', args=['', [h], [], [], [], 0, 0], path=stored.object_path), EventPattern('dbus-signal', signal='ContactsChanged', args=[{ h: (cs.SUBSCRIPTION_STATE_YES, cs.SUBSCRIPTION_STATE_YES, ''), }, []], ), ) # Verify that Gabble didn't crash while trying to ack the push. sync_stream(q, stream) # Just for completeness, let's repeat this test with a malicious roster # push from a contact (rather than from our server). Our server's *really* # broken if it allows this. Nonetheless... iq = make_roster_push(stream, '*****@*****.**', 'both') del iq['id'] iq['from'] = '*****@*****.**' stream.send(iq) q.forbid_events( [ EventPattern('dbus-signal', signal='MembersChanged', path=stored.object_path), EventPattern('dbus-signal', signal='ContactsChanged'), ]) # Make sure Gabble's got the evil push... sync_stream(q, stream) # ...and make sure it's not emitted anything. sync_dbus(bus, q, conn)
def test(q, bus, conn, stream): # Gabble asks for the roster; the server sends back an empty roster. event = q.expect('stream-iq', query_ns=ns.ROSTER) acknowledge_iq(stream, event.stanza) q.expect('dbus-signal', signal='ContactListStateChanged', args=[cs.CONTACT_LIST_STATE_SUCCESS]) # The server sends us a roster push without an id=''. WTF! iq = make_roster_push(stream, jid, 'both') del iq['id'] stream.send(iq) h = conn.get_contact_handle_sync(jid) q.expect_many( EventPattern( 'dbus-signal', signal='ContactsChangedWithID', args=[{ h: (cs.SUBSCRIPTION_STATE_YES, cs.SUBSCRIPTION_STATE_YES, ''), }, { h: jid }, {}], ), ) # Verify that Gabble didn't crash while trying to ack the push. sync_stream(q, stream) # Just for completeness, let's repeat this test with a malicious roster # push from a contact (rather than from our server). Our server's *really* # broken if it allows this. Nonetheless... iq = make_roster_push(stream, '*****@*****.**', 'both') del iq['id'] iq['from'] = '*****@*****.**' stream.send(iq) q.forbid_events([ EventPattern('dbus-signal', signal='ContactsChangedWithID'), ]) # Make sure Gabble's got the evil push... sync_stream(q, stream) # ...and make sure it's not emitted anything. sync_dbus(bus, q, conn)
def test(q, bus, conn, stream): # Gabble asks for the roster; the server sends back an empty roster. event = q.expect('stream-iq', query_ns=ns.ROSTER) acknowledge_iq(stream, event.stanza) q.expect('dbus-signal', signal='ContactListStateChanged', args=[cs.CONTACT_LIST_STATE_SUCCESS]) # The server sends us a roster push without an id=''. WTF! iq = make_roster_push(stream, jid, 'both') del iq['id'] stream.send(iq) h = conn.get_contact_handle_sync(jid) q.expect_many( EventPattern('dbus-signal', signal='ContactsChangedWithID', args=[{ h: (cs.SUBSCRIPTION_STATE_YES, cs.SUBSCRIPTION_STATE_YES, ''), }, {h: jid}, {}], ), ) # Verify that Gabble didn't crash while trying to ack the push. sync_stream(q, stream) # Just for completeness, let's repeat this test with a malicious roster # push from a contact (rather than from our server). Our server's *really* # broken if it allows this. Nonetheless... iq = make_roster_push(stream, '*****@*****.**', 'both') del iq['id'] iq['from'] = '*****@*****.**' stream.send(iq) q.forbid_events( [ EventPattern('dbus-signal', signal='ContactsChangedWithID'), ]) # Make sure Gabble's got the evil push... sync_stream(q, stream) # ...and make sure it's not emitted anything. sync_dbus(bus, q, conn)
def test(q, bus, conn, stream): # Gabble asks for the roster; the server sends back an empty roster. event = q.expect('stream-iq', query_ns=ns.ROSTER) acknowledge_iq(stream, event.stanza) q.expect('dbus-signal', signal='ContactListStateChanged', args=[cs.CONTACT_LIST_STATE_SUCCESS]) # Some malicious peer sends us a roster push to try to trick us into # showing them on our roster. Gabble should know better than to trust it. iq = make_roster_push(stream, jid, 'both') iq['from'] = jid stream.send(iq) q.forbid_events( [ EventPattern('dbus-signal', signal='ContactsChangedWithID'), ]) q.expect('stream-iq', iq_type='error')
def test(q, bus, conn, stream): # Gabble asks for the roster; the server sends back an empty roster. event = q.expect('stream-iq', query_ns=ns.ROSTER) acknowledge_iq(stream, event.stanza) pairs = expect_contact_list_signals(q, bus, conn, ['stored']) stored = check_contact_list_signals(q, bus, conn, pairs.pop(0), cs.HT_LIST, 'stored', []) # Some malicious peer sends us a roster push to try to trick us into # showing them on our roster. Gabble should know better than to trust it. iq = make_roster_push(stream, jid, 'both') iq['from'] = jid stream.send(iq) q.forbid_events( [ EventPattern('dbus-signal', signal='MembersChanged', path=stored.object_path), EventPattern('dbus-signal', signal='ContactsChanged'), ]) e = q.expect('stream-iq', iq_type='error')