summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormathieui <mathieui@mathieui.net>2016-11-21 21:42:51 +0100
committermathieui <mathieui@mathieui.net>2016-11-21 21:42:51 +0100
commitffdb6ffd69522bb14760eca196511ac69a158831 (patch)
tree8a3f6eaaaa01c8eb10163065138434bcd717132d
parent7560db856b1cde1d6778b8374272fc20a2bbfe66 (diff)
downloadslixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.tar.gz
slixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.tar.bz2
slixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.tar.xz
slixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.zip
Check origin of roster pushes
slixmpp is vulnerable to roster push attacks as described by Daniel Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html. (CVE-2015-8688)
-rw-r--r--slixmpp/clientxmpp.py7
1 files changed, 6 insertions, 1 deletions
diff --git a/slixmpp/clientxmpp.py b/slixmpp/clientxmpp.py
index a4bb9a60..a57546f3 100644
--- a/slixmpp/clientxmpp.py
+++ b/slixmpp/clientxmpp.py
@@ -108,10 +108,15 @@ class ClientXMPP(BaseXMPP):
CoroutineCallback('Stream Features',
MatchXPath('{%s}features' % self.stream_ns),
self._handle_stream_features))
+ def roster_push_filter(iq):
+ from_ = iq['from']
+ if from_ and from_ != self.boundjid.bare:
+ return
+ self.event('roster_update', iq)
self.register_handler(
Callback('Roster Update',
StanzaPath('iq@type=set/roster'),
- lambda iq: self.event('roster_update', iq)))
+ roster_push_filter))
# Setup default stream features
self.register_plugin('feature_starttls')