changeset 2283:6e1ead98930d

Check origin of roster pushes MCabber is vulnerable to roster push attacks as described by Daniel Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html. This patch should fix the problem by checking the sender of the iq:roster stanzas. Thanks to Sam Whited for the report.
author Mikael Berthe <mikael@lilotux.net>
date Mon, 21 Nov 2016 20:35:28 +0100
parents 3d6986784dae
children e20ac5fe419c
files mcabber/mcabber/utils.c mcabber/mcabber/xmpp_iq.c
diffstat 2 files changed, 17 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mcabber/mcabber/utils.c	Sun Sep 18 17:13:53 2016 +0200
+++ b/mcabber/mcabber/utils.c	Mon Nov 21 20:35:28 2016 +0100
@@ -96,6 +96,9 @@
   char *ptr;
   char *server;
 
+  if (!username) {
+    return NULL;
+  }
   if ((ptr = strchr(username, JID_DOMAIN_SEPARATOR)) != NULL) {
     server = g_strdup(ptr+1);
     return server;
--- a/mcabber/mcabber/xmpp_iq.c	Sun Sep 18 17:13:53 2016 +0200
+++ b/mcabber/mcabber/xmpp_iq.c	Mon Nov 21 20:35:28 2016 +0100
@@ -582,6 +582,20 @@
   int need_refresh = FALSE;
   guint roster_type;
 
+  const gchar *from = lm_message_get_from(m);
+
+  if (from) {
+    gchar *self_bjid = jidtodisp(lm_connection_get_jid(c));
+    gchar *servername = get_servername(self_bjid, "");
+    if ((!jid_equal(self_bjid, from)) &&
+       (!servername || strcasecmp(from, servername))) {
+      scr_LogPrint(LPRINT_LOGNORM, "Received invalid roster IQ request");
+      g_free(self_bjid);
+      return LM_HANDLER_RESULT_REMOVE_MESSAGE;
+    }
+    g_free(self_bjid);
+  }
+
   y = lm_message_node_find_child(lm_message_node_find_xmlns(m->node, NS_ROSTER),
                                  "item");
   for ( ; y; y = y->next) {