Software /
code /
prosody
Changeset
11712:d117b92fd8e4 0.11 0.11.10
MUC: Fix logic for access to affiliation lists
Fixes https://prosody.im/security/advisory_20210722/
Backs out 4d7b925652d9
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 22 Jul 2021 17:18:39 +0200 |
parents | 11649:aa119de5f6c7 |
children | 11713:7623767df468 11746:68faaf936f6d 11824:90a474aab2c1 |
files | plugins/muc/muc.lib.lua spec/scansion/muc_whois_anyone_member.scs |
diffstat | 2 files changed, 88 insertions(+), 62 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/muc/muc.lib.lua Sat Jul 03 03:27:57 2021 +0200 +++ b/plugins/muc/muc.lib.lua Thu Jul 22 17:18:39 2021 +0200 @@ -976,7 +976,7 @@ -- e.g. an admin can't ask for a list of owners local affiliation_rank = valid_affiliations[affiliation or "none"]; if (affiliation_rank >= valid_affiliations.admin and affiliation_rank >= _aff_rank) - or (self:get_whois() == "anyone") then + or (self:get_members_only() and self:get_whois() == "anyone" and affiliation_rank >= valid_affiliations.member) then local reply = st.reply(stanza):query("http://jabber.org/protocol/muc#admin"); for jid in self:each_affiliation(_aff or "none") do local nick = self:get_registered_nick(jid);
--- a/spec/scansion/muc_whois_anyone_member.scs Sat Jul 03 03:27:57 2021 +0200 +++ b/spec/scansion/muc_whois_anyone_member.scs Thu Jul 22 17:18:39 2021 +0200 @@ -1,101 +1,127 @@ # MUC: Allow members to fetch the affiliation lists in open non-anonymous rooms [Client] Romeo - jid: romeo@localhost/MsliYo9C + jid: 4e2pm7er@localhost password: password [Client] Juliet - jid: juliet@localhost/vJrUtY4Z + jid: qnjm5253@localhost + password: password + +[Client] Random + jid: iqizbcus@localhost password: password ----- Romeo connects +Juliet connects + +Random connects + +# Romeo joins and creates the MUC Romeo sends: - <presence to='issue1230@conference.localhost/romeo'> - <x xmlns='http://jabber.org/protocol/muc'/> + <presence to="mcgczevx@conference.localhost/Romeo"> + <x xmlns="http://jabber.org/protocol/muc"/> </presence> Romeo receives: - <presence from='issue1230@conference.localhost/romeo'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <status code='201'/> - <item jid="${Romeo's JID}" role='moderator' affiliation='owner'/> - <status code='110'/> - </x> + <presence from="mcgczevx@conference.localhost/Romeo"> + <x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false"> + <item affiliation="owner" jid="${Romeo's full JID}" role="moderator"/> + <status code="110"/> + <status code="201"/> + </x> </presence> Romeo receives: - <message from='issue1230@conference.localhost' type='groupchat'> - <subject/> + <message from="mcgczevx@conference.localhost" type="groupchat"> + <subject/> </message> +# and configures it for private chat Romeo sends: - <iq id='lx3' type='set' to='issue1230@conference.localhost'> - <query xmlns='http://jabber.org/protocol/muc#owner'> - <x type='submit' xmlns='jabber:x:data'> - <field var='FORM_TYPE'> - <value>http://jabber.org/protocol/muc#roomconfig</value> - </field> - <field var='muc#roomconfig_whois'> - <value>anyone</value> - </field> - </x> - </query> + <iq type="set" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" to="mcgczevx@conference.localhost"> + <query xmlns="http://jabber.org/protocol/muc#owner"> + <x type="submit" xmlns="jabber:x:data"> + <field var="FORM_TYPE"> + <value>http://jabber.org/protocol/muc#roomconfig</value> + </field> + <field var="muc#roomconfig_membersonly"> + <value>1</value> + </field> + <field var="muc#roomconfig_whois"> + <value>anyone</value> + </field> + </x> + </query> </iq> Romeo receives: - <iq from='issue1230@conference.localhost' type='result' id='lx3'/> + <iq from="mcgczevx@conference.localhost" id="17fb8e7e-c75e-447c-b86f-3f1df8f507c4" type="result"/> Romeo receives: - <message from='issue1230@conference.localhost' type='groupchat'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <status code='172'/> - </x> + <message from="mcgczevx@conference.localhost" type="groupchat"> + <x xmlns="http://jabber.org/protocol/muc#user" scansion:strict="false"> + <status code="104"/> + <status code="172"/> + </x> </message> -Juliet connects - -Juliet sends: - <presence to='issue1230@conference.localhost/juliet'> - <x xmlns='http://jabber.org/protocol/muc'/> - </presence> - -Juliet receives: - <presence from='issue1230@conference.localhost/romeo'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <item jid="${Romeo's JID}" role='moderator' affiliation='owner'/> - </x> - </presence> +# Juliet is made a member +Romeo sends: + <iq type="set" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost"> + <query xmlns="http://jabber.org/protocol/muc#admin"> + <item affiliation="member" jid="${Juliet's JID}"/> + </query> + </iq> -Juliet receives: - <presence from='issue1230@conference.localhost/juliet'> - <x xmlns='http://jabber.org/protocol/muc#user'> - <status code='100'/> - <item jid="${Juliet's JID}" role='participant' affiliation='none'/> - <status code='110'/> - </x> - </presence> - -Juliet receives: - <message from='issue1230@conference.localhost' type='groupchat'> - <subject/> - </message> - +# Juliet can read affiliations Juliet sends: - <iq id='lx2' type='get' to='issue1230@conference.localhost'> - <query xmlns='http://jabber.org/protocol/muc#admin'> - <item affiliation='member'/> - </query> + <iq type="get" id="32d81574-e1dc-4221-b36d-4c44debb7c19" to="mcgczevx@conference.localhost"> + <query xmlns="http://jabber.org/protocol/muc#admin"> + <item affiliation="owner"/> + </query> </iq> Juliet receives: - <iq from='issue1230@conference.localhost' type='result' id='lx2'> - <query xmlns='http://jabber.org/protocol/muc#admin'/> + <iq from="mcgczevx@conference.localhost" id="32d81574-e1dc-4221-b36d-4c44debb7c19" type="result"> + <query xmlns="http://jabber.org/protocol/muc#admin"> + <item affiliation="owner" jid="${Romeo's JID}"/> + </query> + </iq> + +Juliet sends: + <iq type="get" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" to="mcgczevx@conference.localhost"> + <query xmlns="http://jabber.org/protocol/muc#admin"> + <item affiliation="member"/> + </query> </iq> +Juliet receives: + <iq from="mcgczevx@conference.localhost" id="05e3fe30-976f-4919-8221-ca1ac333eb9b" type="result"> + <query xmlns="http://jabber.org/protocol/muc#admin"> + <item affiliation="member" jid="${Juliet's JID}"/> + </query> + </iq> + +# Others can't read affiliations +Random sends: + <iq type="get" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" to="mcgczevx@conference.localhost"> + <query xmlns="http://jabber.org/protocol/muc#admin"> + <item affiliation="owner"/> + </query> + </iq> + +Random receives: + <iq from="mcgczevx@conference.localhost" id="df1195e1-7ec8-4102-8561-3e3a1d942adf" type="error"/> + + Juliet disconnects Romeo disconnects +Random disconnects + +# recording ended on 2021-07-23T12:09:48Z