Exemplo n.º 1
0
def test(q, bus, conn, stream):
    # Gabble asks for the roster; the server sends back an empty roster.
    event = q.expect('stream-iq', query_ns=ns.ROSTER)
    acknowledge_iq(stream, event.stanza)

    pairs = expect_contact_list_signals(q, bus, conn,
            ['stored'])
    stored = check_contact_list_signals(q, bus, conn, pairs.pop(0),
            cs.HT_LIST, 'stored', [])

    # The server sends us a roster push without an id=''. WTF!
    iq = make_roster_push(stream, jid, 'both')
    del iq['id']
    stream.send(iq)

    h = conn.RequestHandles(cs.HT_CONTACT, [jid])[0]
    q.expect_many(
        EventPattern('dbus-signal', signal='MembersChanged',
            args=['', [h], [], [], [], 0, 0], path=stored.object_path),
        EventPattern('dbus-signal', signal='ContactsChanged',
            args=[{ h: (cs.SUBSCRIPTION_STATE_YES,
                    cs.SUBSCRIPTION_STATE_YES, ''), },
                []],
            ),
        )

    # Verify that Gabble didn't crash while trying to ack the push.
    sync_stream(q, stream)

    # Just for completeness, let's repeat this test with a malicious roster
    # push from a contact (rather than from our server). Our server's *really*
    # broken if it allows this. Nonetheless...
    iq = make_roster_push(stream, '*****@*****.**', 'both')
    del iq['id']
    iq['from'] = '*****@*****.**'
    stream.send(iq)

    q.forbid_events(
        [ EventPattern('dbus-signal', signal='MembersChanged',
              path=stored.object_path),
          EventPattern('dbus-signal', signal='ContactsChanged'),
        ])
    # Make sure Gabble's got the evil push...
    sync_stream(q, stream)
    # ...and make sure it's not emitted anything.
    sync_dbus(bus, q, conn)
def test(q, bus, conn, stream):
    # Gabble asks for the roster; the server sends back an empty roster.
    event = q.expect('stream-iq', query_ns=ns.ROSTER)
    acknowledge_iq(stream, event.stanza)

    q.expect('dbus-signal',
             signal='ContactListStateChanged',
             args=[cs.CONTACT_LIST_STATE_SUCCESS])

    # The server sends us a roster push without an id=''. WTF!
    iq = make_roster_push(stream, jid, 'both')
    del iq['id']
    stream.send(iq)

    h = conn.get_contact_handle_sync(jid)
    q.expect_many(
        EventPattern(
            'dbus-signal',
            signal='ContactsChangedWithID',
            args=[{
                h: (cs.SUBSCRIPTION_STATE_YES, cs.SUBSCRIPTION_STATE_YES, ''),
            }, {
                h: jid
            }, {}],
        ), )

    # Verify that Gabble didn't crash while trying to ack the push.
    sync_stream(q, stream)

    # Just for completeness, let's repeat this test with a malicious roster
    # push from a contact (rather than from our server). Our server's *really*
    # broken if it allows this. Nonetheless...
    iq = make_roster_push(stream, '*****@*****.**', 'both')
    del iq['id']
    iq['from'] = '*****@*****.**'
    stream.send(iq)

    q.forbid_events([
        EventPattern('dbus-signal', signal='ContactsChangedWithID'),
    ])
    # Make sure Gabble's got the evil push...
    sync_stream(q, stream)
    # ...and make sure it's not emitted anything.
    sync_dbus(bus, q, conn)
Exemplo n.º 3
0
def test(q, bus, conn, stream):
    # Gabble asks for the roster; the server sends back an empty roster.
    event = q.expect('stream-iq', query_ns=ns.ROSTER)
    acknowledge_iq(stream, event.stanza)

    q.expect('dbus-signal', signal='ContactListStateChanged', args=[cs.CONTACT_LIST_STATE_SUCCESS])

    # The server sends us a roster push without an id=''. WTF!
    iq = make_roster_push(stream, jid, 'both')
    del iq['id']
    stream.send(iq)

    h = conn.get_contact_handle_sync(jid)
    q.expect_many(
        EventPattern('dbus-signal', signal='ContactsChangedWithID',
            args=[{ h: (cs.SUBSCRIPTION_STATE_YES,
                    cs.SUBSCRIPTION_STATE_YES, ''), }, {h: jid}, {}],
            ),
        )

    # Verify that Gabble didn't crash while trying to ack the push.
    sync_stream(q, stream)

    # Just for completeness, let's repeat this test with a malicious roster
    # push from a contact (rather than from our server). Our server's *really*
    # broken if it allows this. Nonetheless...
    iq = make_roster_push(stream, '*****@*****.**', 'both')
    del iq['id']
    iq['from'] = '*****@*****.**'
    stream.send(iq)

    q.forbid_events(
        [ EventPattern('dbus-signal', signal='ContactsChangedWithID'),
        ])
    # Make sure Gabble's got the evil push...
    sync_stream(q, stream)
    # ...and make sure it's not emitted anything.
    sync_dbus(bus, q, conn)
Exemplo n.º 4
0
def test(q, bus, conn, stream):
    # Gabble asks for the roster; the server sends back an empty roster.
    event = q.expect('stream-iq', query_ns=ns.ROSTER)
    acknowledge_iq(stream, event.stanza)

    q.expect('dbus-signal', signal='ContactListStateChanged', args=[cs.CONTACT_LIST_STATE_SUCCESS])

    # Some malicious peer sends us a roster push to try to trick us into
    # showing them on our roster. Gabble should know better than to trust it.
    iq = make_roster_push(stream, jid, 'both')
    iq['from'] = jid
    stream.send(iq)

    q.forbid_events(
        [
          EventPattern('dbus-signal', signal='ContactsChangedWithID'),
        ])

    q.expect('stream-iq', iq_type='error')
Exemplo n.º 5
0
def test(q, bus, conn, stream):
    # Gabble asks for the roster; the server sends back an empty roster.
    event = q.expect('stream-iq', query_ns=ns.ROSTER)
    acknowledge_iq(stream, event.stanza)

    pairs = expect_contact_list_signals(q, bus, conn,
            ['stored'])
    stored = check_contact_list_signals(q, bus, conn, pairs.pop(0),
            cs.HT_LIST, 'stored', [])

    # Some malicious peer sends us a roster push to try to trick us into
    # showing them on our roster. Gabble should know better than to trust it.
    iq = make_roster_push(stream, jid, 'both')
    iq['from'] = jid
    stream.send(iq)

    q.forbid_events(
        [ EventPattern('dbus-signal', signal='MembersChanged',
              path=stored.object_path),
          EventPattern('dbus-signal', signal='ContactsChanged'),
        ])

    e = q.expect('stream-iq', iq_type='error')