mod_muc_mam: Validate that the FORM_TYPE of a query is as expected

author: Kim Alvefur <zash@zash.se> 2019-03-04 13:13:37 +0100
committer: Kim Alvefur <zash@zash.se> 2019-03-04 13:13:37 +0100
commit: 37ba8188057989a530aa5a5e138b181d1ad855a1 (patch)
tree: 943287ef15b5ca1ab57e9fb7b1c409b11027f823 /plugins
parent: 162e8837947005f1be6d129a22f62dcc0de0cae5 (diff)
download: prosody-37ba8188057989a530aa5a5e138b181d1ad855a1.tar.gz
prosody-37ba8188057989a530aa5a5e138b181d1ad855a1.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/plugins/mod_muc_mam.lua b/plugins/mod_muc_mam.lua
index 166a5c71..963e5255 100644
--- a/plugins/mod_muc_mam.lua
+++ b/plugins/mod_muc_mam.lua
@@ -21,6 +21,7 @@ local jid_bare = require "util.jid".bare;
 local jid_split = require "util.jid".split;
 local jid_prep = require "util.jid".prep;
 local dataform = require "util.dataforms".new;
+local get_form_type = require "util.dataforms".get_type;
 
 local mod_muc = module:depends"muc";
 local get_room_from_jid = mod_muc.get_room_from_jid;
@@ -131,7 +132,11 @@ module:hook("iq-set/bare/"..xmlns_mam..":query", function(event)
 	local qstart, qend;
 	local form = query:get_child("x", "jabber:x:data");
 	if form then
-		local err;
+		local form_type, err = get_form_type(form);
+		if form_type ~= xmlns_mam then
+			origin.send(st.error_reply(stanza, "modify", "bad-request", "Unexpected FORM_TYPE, expected '"..xmlns_mam.."'"));
+			return true;
+		end
 		form, err = query_form:data(form);
 		if err then
 			origin.send(st.error_reply(stanza, "modify", "bad-request", select(2, next(err))));
author	Kim Alvefur <zash@zash.se>	2019-03-04 13:13:37 +0100
committer	Kim Alvefur <zash@zash.se>	2019-03-04 13:13:37 +0100
commit	37ba8188057989a530aa5a5e138b181d1ad855a1 (patch)
tree	943287ef15b5ca1ab57e9fb7b1c409b11027f823 /plugins
parent	162e8837947005f1be6d129a22f62dcc0de0cae5 (diff)
download	prosody-37ba8188057989a530aa5a5e138b181d1ad855a1.tar.gz prosody-37ba8188057989a530aa5a5e138b181d1ad855a1.zip