Mercurial > ~mikael > mcabber > hg
comparison mcabber/mcabber/utils.c @ 2283:6e1ead98930d
Check origin of roster pushes
MCabber is vulnerable to roster push attacks as described by Daniel Gultsch
at https://gultsch.de/gajim_roster_push_and_message_interception.html.
This patch should fix the problem by checking the sender of the iq:roster
stanzas.
Thanks to Sam Whited for the report.
| author | Mikael Berthe <mikael@lilotux.net> |
|---|---|
| date | Mon, 21 Nov 2016 20:35:28 +0100 |
| parents | f5402d705f67 |
| children | e00ae0763468 |
comparison
equal
deleted
inserted
replaced
| 2275:3d6986784dae | 2283:6e1ead98930d |
|---|---|
| 94 char *get_servername(const char *username, const char *servername) | 94 char *get_servername(const char *username, const char *servername) |
| 95 { | 95 { |
| 96 char *ptr; | 96 char *ptr; |
| 97 char *server; | 97 char *server; |
| 98 | 98 |
| 99 if (!username) { | |
| 100 return NULL; | |
| 101 } | |
| 99 if ((ptr = strchr(username, JID_DOMAIN_SEPARATOR)) != NULL) { | 102 if ((ptr = strchr(username, JID_DOMAIN_SEPARATOR)) != NULL) { |
| 100 server = g_strdup(ptr+1); | 103 server = g_strdup(ptr+1); |
| 101 return server; | 104 return server; |
| 102 } | 105 } |
| 103 | 106 |