Security issue - subscription request is accepted automatically event when user doesn't add user to roster

[sarsonj]

By default, XmppFramework automatically accepts known subscription request for users, that are already in roster. The idea is described in XmppRoster.h, but unfortunately, the assumptions described in this file is false. The assumption is, that only user himself can item into roster, so that XmppFramework auto accepts only users, that are known to user.

However, XMPP protocol defines also subscription pre-approval. As described in XMPP spec: https://xmpp.org/rfcs/rfc6121.html#sub-preapproval-proc, after sending pre-approval to another user, the another user is added to this user's roster automatically by XMPP server with subscription="none".

With knowledge of this, lets have Bob and Alice. Bob wants to "stalk" Alice. To do this, Bob has to do those steps:

1. Bob send Pre-approval subscription to Alice. Using this, the XMPP server adds Bob into Alice's roster with subscription none.
2. then Bob send subscription request to Alice. Alice is using app with XmppFramework with Roster plugin enabled. Because Bob is in roster, the subscription request is accepted automatically.
3. Bob can now even cancel Alice's subscription, he don't need it any more. So that Bob can "stalk" Alice and Alice cannot see Bob's status. Because in may XMPP clients only online users are visible, there is big chance, that Alice will not notice, that Bobs is subscribed to her.

It is pity, that default autoAcceptKnownPresenceSubscriptionRequests is set to true, so the change may be breaking change for apps. But it seems to really serious issue to me, that this change should be made. And there should be big warning, when autoAcceptKnownPresenceSubscriptionRequests is used.

[Neustradamus]

To follow this ticket.