Mercurial > ~mikael > mcabber > hg
diff mcabber/mcabber/utils.c @ 2283:6e1ead98930d
Check origin of roster pushes
MCabber is vulnerable to roster push attacks as described by Daniel Gultsch
at https://gultsch.de/gajim_roster_push_and_message_interception.html.
This patch should fix the problem by checking the sender of the iq:roster
stanzas.
Thanks to Sam Whited for the report.
author | Mikael Berthe <mikael@lilotux.net> |
---|---|
date | Mon, 21 Nov 2016 20:35:28 +0100 |
parents | f5402d705f67 |
children | e00ae0763468 |
line wrap: on
line diff
--- a/mcabber/mcabber/utils.c Sun Sep 18 17:13:53 2016 +0200 +++ b/mcabber/mcabber/utils.c Mon Nov 21 20:35:28 2016 +0100 @@ -96,6 +96,9 @@ char *ptr; char *server; + if (!username) { + return NULL; + } if ((ptr = strchr(username, JID_DOMAIN_SEPARATOR)) != NULL) { server = g_strdup(ptr+1); return server;