aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2021-05-12 13:59:49 +0100
committerMatthew Wild <mwild1@gmail.com>2021-05-12 13:59:49 +0100
commit0d3dc2e5223f7f63449a2c5c92b97e310377dca9 (patch)
treed96c8462e126df9a5efc578323f6687c377a084a /plugins
parent6f6c807bdf9eb25f335ace6f73243801019bbb87 (diff)
downloadprosody-0d3dc2e5223f7f63449a2c5c92b97e310377dca9.tar.gz
prosody-0d3dc2e5223f7f63449a2c5c92b97e310377dca9.zip
mod_proxy65: Restrict access to local c2s connections by default
Previously no 'proxy65_acl' option would allow unrestricted access by local or remote JIDs.
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_proxy65.lua16
1 files changed, 12 insertions, 4 deletions
diff --git a/plugins/mod_proxy65.lua b/plugins/mod_proxy65.lua
index 00833772..36614810 100644
--- a/plugins/mod_proxy65.lua
+++ b/plugins/mod_proxy65.lua
@@ -94,6 +94,7 @@ function module.add_host(module)
local proxy_address = module:get_option_string("proxy65_address", host);
local proxy_acl = module:get_option_array("proxy65_acl");
+ local proxy_open_access = module:get_option_boolean("proxy65_open_access", false);
-- COMPAT w/pre-0.9 where proxy65_port was specified in the components section of the config
local legacy_config = module:get_option_number("proxy65_port");
@@ -110,13 +111,20 @@ function module.add_host(module)
-- check ACL
-- using 'while' instead of 'if' so we can break out of it
- while proxy_acl and #proxy_acl > 0 do --luacheck: ignore 512
+ local allow;
+ if proxy_acl and #proxy_acl > 0 then
local jid = stanza.attr.from;
- local allow;
for _, acl in ipairs(proxy_acl) do
- if jid_compare(jid, acl) then allow = true; break; end
+ if jid_compare(jid, acl) then
+ allow = true;
+ break;
+ end
end
- if allow then break; end
+ elseif proxy_open_access or origin.type == "c2s" then
+ allow = true;
+ end
+
+ if not allow then
module:log("warn", "Denying use of proxy for %s", tostring(stanza.attr.from));
origin.send(st.error_reply(stanza, "auth", "forbidden"));
return true;