# HG changeset patch
# User Mikael Berthe <mikael@lilotux.net>
# Date 1479758338 -3600
# Node ID 1f5f708d58a60e3027d4108f51f0c017bb9bc8f9
# Parent  dc1b123d63d56a8e02a83c7c88e08e1840cff888# Parent  6753d7936217975ee230b76e108214326400ca12
Merge release 1.0.4

diff -r dc1b123d63d5 -r 1f5f708d58a6 .hgsigs
--- a/.hgsigs	Sat Oct 01 18:36:47 2016 +0200
+++ b/.hgsigs	Mon Nov 21 20:58:58 2016 +0100
@@ -13,3 +13,4 @@
 d703d6b42b32b1718f39e4fdc188653724c8e40d 0 iD8DBQBWqJgmPCkA3qy3/JURAvxlAJ0UUAszy1VcNmqwaNi1V1ups5WvFACgvR3/n4qLwNXlCY/rhsBCQfGC4YA=
 54a12919cdee141391bb89461ec2d673f3000e21 0 iD8DBQBW0Zp4PCkA3qy3/JURAgZXAJ4hkq05rGPfi0fiPlyXQepyVhEs8ACfUaGG5J4NYTcofIAYRrkoEo5/rPk=
 3d6986784daee106b9143976e7576cb3ecee5380 0 iD8DBQBX3rORPCkA3qy3/JURAgElAKCtALoJ2iyRFJ6bPkcGgjFuNuQNPwCeMSSr3ePeoUyMPrlm9CxZqF0Ipao=
+e20ac5fe419c3cd6b0dd369f0605cb055847888a 0 iD8DBQBYM1AoPCkA3qy3/JURAl80AJ94HmyoAeA8a5IzbJfoxBOPYBAjsQCgwwAVqGlkYBEJZx5O3zuwUlMkZGQ=
diff -r dc1b123d63d5 -r 1f5f708d58a6 .hgtags
--- a/.hgtags	Sat Oct 01 18:36:47 2016 +0200
+++ b/.hgtags	Mon Nov 21 20:58:58 2016 +0100
@@ -44,3 +44,4 @@
 d703d6b42b32b1718f39e4fdc188653724c8e40d 1.0.1
 54a12919cdee141391bb89461ec2d673f3000e21 1.0.2
 3d6986784daee106b9143976e7576cb3ecee5380 1.0.3
+e20ac5fe419c3cd6b0dd369f0605cb055847888a 1.0.4
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/ChangeLog
--- a/mcabber/ChangeLog	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/ChangeLog	Mon Nov 21 20:58:58 2016 +0100
@@ -1,9 +1,17 @@
-mcabber (1.0.4-dev)
+mcabber (1.0.5-dev)
 
  * 
 
  -- Mikael, ?
 
+mcabber (1.0.4)
+
+ * Bugfix: Check the origin of roster pushes
+   Cf. Gajim's CVE-2015-8688 and
+   https://gultsch.de/gajim_roster_push_and_message_interception.html
+
+ -- Mikael, 2016-11-21
+
 mcabber (1.0.3)
 
  * Link with the tinfo library
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/ChangeLog.api
--- a/mcabber/ChangeLog.api	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/ChangeLog.api	Mon Nov 21 20:58:58 2016 +0100
@@ -1,5 +1,6 @@
 dev (41)
 
+ * Stable api 1.0.4:1
  * Stable api 1.0.3:1
  * Stable api 1.0.2:1
  * Stable api 1.0.1:1
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/configure.ac
--- a/mcabber/configure.ac	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/configure.ac	Mon Nov 21 20:58:58 2016 +0100
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ(2.59)
-AC_INIT([mcabber],[1.0.4-dev],[mcabber@lilotux.net])
+AC_INIT([mcabber],[1.0.5-dev],[mcabber@lilotux.net])
 XC_AUTOMAKE
 AC_CONFIG_SRCDIR([mcabber])
 AC_CONFIG_HEADERS([mcabber/config.h])
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/doc/mcabber.1
--- a/mcabber/doc/mcabber.1	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/doc/mcabber.1	Mon Nov 21 20:58:58 2016 +0100
@@ -4,10 +4,10 @@
 .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
 .\"      Date: 09/18/2016
 .\"    Manual: \ \&
-.\"    Source: \ \& 1.0.4-dev
+.\"    Source: \ \& 1.0.5-dev
 .\"  Language: English
 .\"
-.TH "MCABBER" "1" "09/18/2016" "\ \& 1\&.0\&.4\-dev\" "\ \&"
+.TH "MCABBER" "1" "09/18/2016" "\ \& 1\&.0\&.5\-dev\" "\ \&"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/doc/mcabber.1.html
--- a/mcabber/doc/mcabber.1.html	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/doc/mcabber.1.html	Mon Nov 21 20:58:58 2016 +0100
@@ -2616,8 +2616,8 @@
 <div id="footnotes"><hr /></div>
 <div id="footer">
 <div id="footer-text">
-Version 1.0.4-dev<br />
-Last updated 2016-09-17 10:08:00 CEST
+Version 1.0.5-dev<br />
+Last updated 2016-09-17 20:57:35 CEST
 </div>
 </div>
 </body>
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/doc/mcabber.1.txt
--- a/mcabber/doc/mcabber.1.txt	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/doc/mcabber.1.txt	Mon Nov 21 20:58:58 2016 +0100
@@ -1,7 +1,7 @@
 MCABBER(1)
 ===========
 Mikael BERTHE <mcabber@lilotux.net>
-v1.0.4-dev, September 2016
+v1.0.5-dev, November 2016
 
 NAME
 ----
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/mcabber/utils.c
--- a/mcabber/mcabber/utils.c	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/mcabber/utils.c	Mon Nov 21 20:58:58 2016 +0100
@@ -96,6 +96,9 @@
   char *ptr;
   char *server;
 
+  if (!username) {
+    return NULL;
+  }
   if ((ptr = strchr(username, JID_DOMAIN_SEPARATOR)) != NULL) {
     server = g_strdup(ptr+1);
     return server;
diff -r dc1b123d63d5 -r 1f5f708d58a6 mcabber/mcabber/xmpp_iq.c
--- a/mcabber/mcabber/xmpp_iq.c	Sat Oct 01 18:36:47 2016 +0200
+++ b/mcabber/mcabber/xmpp_iq.c	Mon Nov 21 20:58:58 2016 +0100
@@ -582,6 +582,20 @@
   int need_refresh = FALSE;
   guint roster_type;
 
+  const gchar *from = lm_message_get_from(m);
+
+  if (from) {
+    gchar *self_bjid = jidtodisp(lm_connection_get_jid(c));
+    gchar *servername = get_servername(self_bjid, "");
+    if ((!jid_equal(self_bjid, from)) &&
+       (!servername || strcasecmp(from, servername))) {
+      scr_LogPrint(LPRINT_LOGNORM, "Received invalid roster IQ request");
+      g_free(self_bjid);
+      return LM_HANDLER_RESULT_REMOVE_MESSAGE;
+    }
+    g_free(self_bjid);
+  }
+
   y = lm_message_node_find_child(lm_message_node_find_xmlns(m->node, NS_ROSTER),
                                  "item");
   for ( ; y; y = y->next) {