From ffdb6ffd69522bb14760eca196511ac69a158831 Mon Sep 17 00:00:00 2001
From: mathieui <mathieui@mathieui.net>
Date: Mon, 21 Nov 2016 21:42:51 +0100
Subject: Check origin of roster pushes

slixmpp is vulnerable to roster push attacks as described by Daniel
Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html.

(CVE-2015-8688)
---
 slixmpp/clientxmpp.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/slixmpp/clientxmpp.py b/slixmpp/clientxmpp.py
index a4bb9a60..a57546f3 100644
--- a/slixmpp/clientxmpp.py
+++ b/slixmpp/clientxmpp.py
@@ -108,10 +108,15 @@ class ClientXMPP(BaseXMPP):
                 CoroutineCallback('Stream Features',
                      MatchXPath('{%s}features' % self.stream_ns),
                      self._handle_stream_features))
+        def roster_push_filter(iq):
+            from_ = iq['from']
+            if from_ and from_ != self.boundjid.bare:
+                return
+            self.event('roster_update', iq)
         self.register_handler(
                 Callback('Roster Update',
                          StanzaPath('iq@type=set/roster'),
-                         lambda iq: self.event('roster_update', iq)))
+                         roster_push_filter))
 
         # Setup default stream features
         self.register_plugin('feature_starttls')
-- 
cgit v1.2.3