def test(q, bus, conn, stream):
# Gabble asks for the roster; the server sends back an empty roster.
event = q.expect('stream-iq', query_ns=ns.ROSTER)
acknowledge_iq(stream, event.stanza)
pairs = expect_contact_list_signals(q, bus, conn,
['stored'])
stored = check_contact_list_signals(q, bus, conn, pairs.pop(0),
cs.HT_LIST, 'stored', [])
# The server sends us a roster push without an id=''. WTF!
iq = make_roster_push(stream, jid, 'both')
del iq['id']
stream.send(iq)
h = conn.RequestHandles(cs.HT_CONTACT, [jid])[0]
q.expect_many(
EventPattern('dbus-signal', signal='MembersChanged',
args=['', [h], [], [], [], 0, 0], path=stored.object_path),
EventPattern('dbus-signal', signal='ContactsChanged',
args=[{ h: (cs.SUBSCRIPTION_STATE_YES,
cs.SUBSCRIPTION_STATE_YES, ''), },
[]],
),
)
# Verify that Gabble didn't crash while trying to ack the push.
sync_stream(q, stream)
# Just for completeness, let's repeat this test with a malicious roster
# push from a contact (rather than from our server). Our server's *really*
# broken if it allows this. Nonetheless...
iq = make_roster_push(stream, '*****@*****.**', 'both')
del iq['id']
iq['from'] = '*****@*****.**'
stream.send(iq)
q.forbid_events(
[ EventPattern('dbus-signal', signal='MembersChanged',
path=stored.object_path),
EventPattern('dbus-signal', signal='ContactsChanged'),
])
# Make sure Gabble's got the evil push...
sync_stream(q, stream)
# ...and make sure it's not emitted anything.
sync_dbus(bus, q, conn)
def test(q, bus, conn, stream):
# Gabble asks for the roster; the server sends back an empty roster.
event = q.expect('stream-iq', query_ns=ns.ROSTER)
acknowledge_iq(stream, event.stanza)
q.expect('dbus-signal',
signal='ContactListStateChanged',
args=[cs.CONTACT_LIST_STATE_SUCCESS])
# The server sends us a roster push without an id=''. WTF!
iq = make_roster_push(stream, jid, 'both')
del iq['id']
stream.send(iq)
h = conn.get_contact_handle_sync(jid)
q.expect_many(
EventPattern(
'dbus-signal',
signal='ContactsChangedWithID',
args=[{
h: (cs.SUBSCRIPTION_STATE_YES, cs.SUBSCRIPTION_STATE_YES, ''),
}, {
h: jid
}, {}],
), )
# Verify that Gabble didn't crash while trying to ack the push.
sync_stream(q, stream)
# Just for completeness, let's repeat this test with a malicious roster
# push from a contact (rather than from our server). Our server's *really*
# broken if it allows this. Nonetheless...
iq = make_roster_push(stream, '*****@*****.**', 'both')
del iq['id']
iq['from'] = '*****@*****.**'
stream.send(iq)
q.forbid_events([
EventPattern('dbus-signal', signal='ContactsChangedWithID'),
])
# Make sure Gabble's got the evil push...
sync_stream(q, stream)
# ...and make sure it's not emitted anything.
sync_dbus(bus, q, conn)
def test(q, bus, conn, stream):
# Gabble asks for the roster; the server sends back an empty roster.
event = q.expect('stream-iq', query_ns=ns.ROSTER)
acknowledge_iq(stream, event.stanza)
q.expect('dbus-signal', signal='ContactListStateChanged', args=[cs.CONTACT_LIST_STATE_SUCCESS])
# The server sends us a roster push without an id=''. WTF!
iq = make_roster_push(stream, jid, 'both')
del iq['id']
stream.send(iq)
h = conn.get_contact_handle_sync(jid)
q.expect_many(
EventPattern('dbus-signal', signal='ContactsChangedWithID',
args=[{ h: (cs.SUBSCRIPTION_STATE_YES,
cs.SUBSCRIPTION_STATE_YES, ''), }, {h: jid}, {}],
),
)
# Verify that Gabble didn't crash while trying to ack the push.
sync_stream(q, stream)
# Just for completeness, let's repeat this test with a malicious roster
# push from a contact (rather than from our server). Our server's *really*
# broken if it allows this. Nonetheless...
iq = make_roster_push(stream, '*****@*****.**', 'both')
del iq['id']
iq['from'] = '*****@*****.**'
stream.send(iq)
q.forbid_events(
[ EventPattern('dbus-signal', signal='ContactsChangedWithID'),
])
# Make sure Gabble's got the evil push...
sync_stream(q, stream)
# ...and make sure it's not emitted anything.
sync_dbus(bus, q, conn)
def test(q, bus, conn, stream):
# Gabble asks for the roster; the server sends back an empty roster.
event = q.expect('stream-iq', query_ns=ns.ROSTER)
acknowledge_iq(stream, event.stanza)
q.expect('dbus-signal', signal='ContactListStateChanged', args=[cs.CONTACT_LIST_STATE_SUCCESS])
# Some malicious peer sends us a roster push to try to trick us into
# showing them on our roster. Gabble should know better than to trust it.
iq = make_roster_push(stream, jid, 'both')
iq['from'] = jid
stream.send(iq)
q.forbid_events(
[
EventPattern('dbus-signal', signal='ContactsChangedWithID'),
])
q.expect('stream-iq', iq_type='error')
def test(q, bus, conn, stream):
# Gabble asks for the roster; the server sends back an empty roster.
event = q.expect('stream-iq', query_ns=ns.ROSTER)
acknowledge_iq(stream, event.stanza)
pairs = expect_contact_list_signals(q, bus, conn,
['stored'])
stored = check_contact_list_signals(q, bus, conn, pairs.pop(0),
cs.HT_LIST, 'stored', [])
# Some malicious peer sends us a roster push to try to trick us into
# showing them on our roster. Gabble should know better than to trust it.
iq = make_roster_push(stream, jid, 'both')
iq['from'] = jid
stream.send(iq)
q.forbid_events(
[ EventPattern('dbus-signal', signal='MembersChanged',
path=stored.object_path),
EventPattern('dbus-signal', signal='ContactsChanged'),
])
e = q.expect('stream-iq', iq_type='error')
