Commit ffdb6ffd authored by mathieui's avatar mathieui
Browse files

Check origin of roster pushes

slixmpp is vulnerable to roster push attacks as described by Daniel
Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html.

(CVE-2015-8688)
parent 7560db85
......@@ -108,10 +108,15 @@ class ClientXMPP(BaseXMPP):
CoroutineCallback('Stream Features',
MatchXPath('{%s}features' % self.stream_ns),
self._handle_stream_features))
def roster_push_filter(iq):
from_ = iq['from']
if from_ and from_ != self.boundjid.bare:
return
self.event('roster_update', iq)
self.register_handler(
Callback('Roster Update',
StanzaPath('iq@type=set/roster'),
lambda iq: self.event('roster_update', iq)))
roster_push_filter))
# Setup default stream features
self.register_plugin('feature_starttls')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment