[Juser] Transport add contacts to roster

Peter Saint-Andre stpeter at jabber.org
Mon Feb 21 10:57:28 CST 2005


On Sat, Feb 19, 2005 at 05:58:18PM -0300, Florian Lindner wrote:

> is the jabber.org server currently allowing transports I subscribed to to add 
> contacts to my roster?

AFAIK, this is not disallowed by jabberd 1.4.2cvs, which is the 
session manager that jabber.org uses. The "legacy" transports used 
this "feature" to add people to your roster using a presence packet 
of type 'subscribed'. See JEP-0100 for details:

http://www.jabber.org/jeps/jep-0100.html

> If yes: Why? I would consider that a security flaw...

This behavior is forbidden by RFC 3921, but jabberd 1.4.2cvs is not
XMPP-compliant in this respect. When we finally get an XMPP-compliant
server at jabber.org (hopefully soon), then this behavior will not be
allowed.

/psa




More information about the JUser mailing list