diff options
| author | mathieui <mathieui@mathieui.net> | 2016-11-21 21:42:51 +0100 |
|---|---|---|
| committer | mathieui <mathieui@mathieui.net> | 2016-11-21 21:42:51 +0100 |
| commit | ffdb6ffd69522bb14760eca196511ac69a158831 (patch) | |
| tree | 8a3f6eaaaa01c8eb10163065138434bcd717132d | |
| parent | 7560db856b1cde1d6778b8374272fc20a2bbfe66 (diff) | |
| download | slixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.tar.gz slixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.tar.bz2 slixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.tar.xz slixmpp-ffdb6ffd69522bb14760eca196511ac69a158831.zip | |
Check origin of roster pushes
slixmpp is vulnerable to roster push attacks as described by Daniel
Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html.
(CVE-2015-8688)
| -rw-r--r-- | slixmpp/clientxmpp.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/slixmpp/clientxmpp.py b/slixmpp/clientxmpp.py index a4bb9a60..a57546f3 100644 --- a/slixmpp/clientxmpp.py +++ b/slixmpp/clientxmpp.py @@ -108,10 +108,15 @@ class ClientXMPP(BaseXMPP): CoroutineCallback('Stream Features', MatchXPath('{%s}features' % self.stream_ns), self._handle_stream_features)) + def roster_push_filter(iq): + from_ = iq['from'] + if from_ and from_ != self.boundjid.bare: + return + self.event('roster_update', iq) self.register_handler( Callback('Roster Update', StanzaPath('iq@type=set/roster'), - lambda iq: self.event('roster_update', iq))) + roster_push_filter)) # Setup default stream features self.register_plugin('feature_starttls') |