145
edits
(Created page with "This is a list of different test cases that client developers should apply to their code base. = Tool Suite = '''TODO:''' create and document an automated tool suite. An i...") |
|||
(11 intermediate revisions by 3 users not shown) | |||
Line 22: | Line 22: | ||
There is a hosted version of test 1. at xmpp:reject@yax.im | There is a hosted version of test 1. at xmpp:reject@yax.im | ||
= Impersonation attacks = | |||
# Roster push impersonation [https://gultsch.de/gajim_roster_push_and_message_interception.html CVE-2015-8688] | |||
# Carbon sender impersonation [https://rt-solutions.de/en/2017/01/cve-2017-5589_xmpp_carbons/ CVE-2017-5589] | |||
# MAM impersonation: a <message> from a remote JID containing a <result> with a wrapped <message> | |||
# Impersonation via XEP-0297 Stanza Forwarding: Similar to the MAM impersonation but with a top-level <forward> element. Clients are supposed to clearly indicate that a message has been forwarded. Misbehaving clients might instead show the forwarded message as if it came from that person. There's also zero guarantee that a forwarded message is not in fact a forgery. | |||
= Session Management = | |||
# A client performs all session initation operations the correct order | |||
# A client properly accepts a different resource than requested during binding, and responds to IQs sent to it | |||
# Stream Management ([https://xmpp.org/extensions/xep-0198.html XEP-0198]) | |||
## A client resumes a session with the same session-id if disconnected without closing the XML stream | |||
## A client submits the correct number of stanzas on resume, after it was fed with some messages, IQs, and other (non-stanza) stream elements | |||
## A client aborts the resume if the server requests stanzas that already were ACKed before the connection loss (<resumed h> with a value smaller than in the last <a/> element) | |||
## A client aborts the resume if the server less stanzas than the client (<resumed h> with a value significantly larger than what the client sent) | |||
= Roster Management = | |||
# When a subscription request was approved / denied from a different device, update the roster view, remove pending popups | |||
= Multi User Chats = | = Multi User Chats = | ||
Line 29: | Line 50: | ||
# A join is not responded to at all by the MUC | # A join is not responded to at all by the MUC | ||
# A join is responded to with an error presence | # A join is responded to with an error presence | ||
# A join is responded with a captcha challenge message | |||
# After sending the captcha challenge response a MUC responds with a "not-authorized" error presence (which does *not* mean in this case the muc is password protected) | |||
# Captcha messages may be archived (MAM) by the server, a client should ignore them | |||
# The join response does not contain a subject | # The join response does not contain a subject | ||
# The join response does not contain a [https://xmpp.org/extensions/xep-0045.html#order self-presence] | # The join response does not contain a [https://xmpp.org/extensions/xep-0045.html#order self-presence] | ||
Line 38: | Line 62: | ||
# The client gets banned by the MUC, with or without a message | # The client gets banned by the MUC, with or without a message | ||
# The MUC join completes, but the occupant is then silently removed, all subsequent messages get rejected (see [https://xmpp.org/extensions/xep-0410.html XEP-0410]) | # The MUC join completes, but the occupant is then silently removed, all subsequent messages get rejected (see [https://xmpp.org/extensions/xep-0410.html XEP-0410]) | ||
== MUC-PMs == | |||
TODO | |||
== Affiliation == | == Affiliation == | ||
Line 43: | Line 71: | ||
# The client gets muted by the MUC, with or without a message | # The client gets muted by the MUC, with or without a message | ||
== Other == | |||
# Another occupant sends an invalid presence to the room (I'm looking at you, old Gajim) | |||
= HTTP File Upload = | = HTTP File Upload = | ||
A testing component could reject the file slot request IQ with different errors based on the requested file name / file size. A client developer would have a set of according files to trigger different conditions. | A testing component could reject the file slot request IQ with different errors based on the requested file name / file size. A client developer would have a set of according files to trigger different conditions. | ||
= Jingle = | |||
TODO: all kinds of handshake failures | |||
= MAM = | |||
TODO: incomplete archive, incoherent IDs, duplicates | |||
# Client attempts to fetch MAM with a MAM-ID that is unknown to the server (because it expired) | |||
[[Category:Interop]] | [[Category:Interop]] |