Andrzej Wójcik (Tigase) opened 6 years ago
|
|
Wojtek, I've found this issue during work on "XEP-0048: Bookmarks" which suggests usage of PEP as private storage for conference bookmarks. This issue is I would say quite critical as due to the issue it is possible to receive or retrieve other user bookmarks which may include full connection details for MUC rooms (include password!). I've checked this fix and added TTS-NG tests for this issue to make sure that it is fixed and will be fixed in 8.0.0. However, I suppose that this is rather a critical bug and we should update our installations ASAP. What do you think? Will you update them or should I? |
|
Andrzej Wójcik wrote:
I'll update it. |
|
Wojciech Kapcia wrote:
Updated to to-do: terminated old instance once the users switch to new ones ( |
|
Wojciech Kapcia wrote:
terminated |
|
It looks like this test is still failing randomly. It seems, that for some reason, quick disconnect/connect could cause it? |
|
Wojciech, I've fixed issues related to TTS-NG TestPEP test case. It looks like Jaxmpp event bus still has some events to process after |
|
It solved the issue. |
|
Tigase.org will be updated in #8696 |
Type |
Bug
|
Priority |
Critical
|
Assignee | |
RedmineID |
8667
|
Version |
tigase-server-8.0.0
|
Spent time |
6h 30m
|
PEP nodes are delivery last published items without checking access model! ie. if PEP node is whitelist only it should not return last published item for anyone outside of the whitelist (with exception to the PEP/PubSub service owner).