aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2013-03-27 23:09:47 +0100
committerKim Alvefur <zash@zash.se>2013-03-27 23:09:47 +0100
commit1ae928562845db6f1ce859ec99691c24122d4600 (patch)
tree92ce2dd7e79ebb8612f958df1f0686489d08c0db
parente3b9a1075ecd03ef653f0598364e4ec373d66651 (diff)
downloadprosody-1ae928562845db6f1ce859ec99691c24122d4600.tar.gz
prosody-1ae928562845db6f1ce859ec99691c24122d4600.zip
mod_s2s: Prevent s2s to and from hosts we serve locally
-rw-r--r--plugins/mod_s2s/mod_s2s.lua12
1 files changed, 12 insertions, 0 deletions
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 0d552ce8..6893d184 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -80,6 +80,10 @@ function route_to_existing_session(event)
log("warn", "Attempt to send stanza from %s - a host we don't serve", from_host);
return false;
end
+ if hosts[to_host] then
+ log("warn", "Attempt to route stanza to a remote %s - a host we do serve?!", from_host);
+ return false;
+ end
local host = hosts[from_host].s2sout[to_host];
if host then
-- We have a connection to this host already
@@ -188,6 +192,9 @@ function make_authenticated(event)
});
end
end
+ if hosts[host] then
+ session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" });
+ end
if session.type == "s2sout_unauthed" then
session.type = "s2sout";
elseif session.type == "s2sin_unauthed" then
@@ -321,6 +328,11 @@ function stream_callbacks.streamopened(session, attr)
end
end
+ if hosts[from] then
+ session:close({ condition = "undefined-condition", text = "Attempt to connect from a host we serve" });
+ return;
+ end
+
if session.secure and not session.cert_chain_status then
if check_cert_status(session) == false then
return;