# HG changeset patch
# User Mikael Berthe <mikael@lilotux.net>
# Date 1479756928 -3600
# Node ID 6e1ead98930d7dd0a520ad17c720ae4908429033
# Parent  3d6986784daee106b9143976e7576cb3ecee5380
Check origin of roster pushes

MCabber is vulnerable to roster push attacks as described by Daniel Gultsch
at https://gultsch.de/gajim_roster_push_and_message_interception.html.

This patch should fix the problem by checking the sender of the iq:roster
stanzas.

Thanks to Sam Whited for the report.

diff -r 3d6986784dae -r 6e1ead98930d mcabber/mcabber/utils.c
--- a/mcabber/mcabber/utils.c	Sun Sep 18 17:13:53 2016 +0200
+++ b/mcabber/mcabber/utils.c	Mon Nov 21 20:35:28 2016 +0100
@@ -96,6 +96,9 @@
   char *ptr;
   char *server;
 
+  if (!username) {
+    return NULL;
+  }
   if ((ptr = strchr(username, JID_DOMAIN_SEPARATOR)) != NULL) {
     server = g_strdup(ptr+1);
     return server;
diff -r 3d6986784dae -r 6e1ead98930d mcabber/mcabber/xmpp_iq.c
--- a/mcabber/mcabber/xmpp_iq.c	Sun Sep 18 17:13:53 2016 +0200
+++ b/mcabber/mcabber/xmpp_iq.c	Mon Nov 21 20:35:28 2016 +0100
@@ -582,6 +582,20 @@
   int need_refresh = FALSE;
   guint roster_type;
 
+  const gchar *from = lm_message_get_from(m);
+
+  if (from) {
+    gchar *self_bjid = jidtodisp(lm_connection_get_jid(c));
+    gchar *servername = get_servername(self_bjid, "");
+    if ((!jid_equal(self_bjid, from)) &&
+       (!servername || strcasecmp(from, servername))) {
+      scr_LogPrint(LPRINT_LOGNORM, "Received invalid roster IQ request");
+      g_free(self_bjid);
+      return LM_HANDLER_RESULT_REMOVE_MESSAGE;
+    }
+    g_free(self_bjid);
+  }
+
   y = lm_message_node_find_child(lm_message_node_find_xmlns(m->node, NS_ROSTER),
                                  "item");
   for ( ; y; y = y->next) {