Illegal roster insertion bug


If I send a presence stanza of type=“subscribed” to a user, Wildfire forwards the request and sends roster push items to the user in question. This happens even if I am not yet on their roster with ask=“subscribe” and a subscription of neither “none” nor “from”.

This seems a directly contradictory to section 8 of chapter 8.2 in RFC 3921. The proper behaviour is that the server MUST silently ignore it, so I guess that makes it a bug.

I feel it’'s a fairly important one, since it opens the way for spam/spim (especially if you consider that many clients use vcards to read avatars and nicknames) that cannot be easily blocked by clients.



Hey Frank,

Thanks for the bug report. I filed it as JM-903 and checked in a fix for it. You can get the source code from SVN or wait for the next nightly build.


– Gato

Hi Dombiak,

That’'s great! Thanks,