aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2016-04-19 12:17:00 +0200
committerKim Alvefur <zash@zash.se>2016-04-19 12:17:00 +0200
commit4de7923fba7776bfcb26965b5c106b84b07b11a3 (patch)
treeb2e472a012a8fb8a59272ab4d4060e79aff17dab
parent9cf04c820a418a57a8826b018dc1723824635133 (diff)
downloadprosody-4de7923fba7776bfcb26965b5c106b84b07b11a3.tar.gz
prosody-4de7923fba7776bfcb26965b5c106b84b07b11a3.zip
mod_bosh: Validate 'to' host (see #343)
-rw-r--r--plugins/mod_bosh.lua10
1 files changed, 9 insertions, 1 deletions
diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 64d52f91..f2cfb44a 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -21,6 +21,7 @@ local initialize_filters = require "util.filters".initialize;
local math_min = math.min;
local xpcall, tostring, type = xpcall, tostring, type;
local traceback = debug.traceback;
+local nameprep = require "util.encodings".stringprep.nameprep;
local xmlns_streams = "http://etherx.jabber.org/streams";
local xmlns_xmpp_streams = "urn:ietf:params:xml:ns:xmpp-streams";
@@ -244,7 +245,14 @@ function stream_callbacks.streamopened(context, attr)
context.notopen = nil; -- Signals that we accept this opening tag
-- TODO: Sanity checks here (rid, to, known host, etc.)
- if not hosts[attr.to] then
+ local to_host = nameprep(attr.to);
+ if not to_host then
+ log("debug", "BOSH client tried to connect to invalid host: %s", tostring(attr.to));
+ local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",
+ ["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" });
+ response:send(tostring(close_reply));
+ return;
+ elseif not hosts[to_host] then
-- Unknown host
log("debug", "BOSH client tried to connect to unknown host: %s", tostring(attr.to));
local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",