diff options
author | Kim Alvefur <zash@zash.se> | 2019-07-20 04:19:58 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2019-07-20 04:19:58 +0200 |
commit | 74c233d1198c790e7c6fab0289fa43da7980a576 (patch) | |
tree | d3e14031365c5059107e696d558e1750ca1e1cb5 /plugins | |
parent | 23eb311e20cfdcba0fbc497fd45e448ee619f640 (diff) | |
download | prosody-74c233d1198c790e7c6fab0289fa43da7980a576.tar.gz prosody-74c233d1198c790e7c6fab0289fa43da7980a576.zip |
mod_websocket: Clone stanza before mutating (fixes #1398)
Checking for `stanza.attr.xmlns == nil` to determine if the stanza
object is an actual stanza (`<message>`, `<presence>` or `<iq>` in the
`jabber:client` or `jabbber:server` namespace) or some other stream
element.
Since this mutation is not reverted, it may leak to other places and
cause them to mistreat stanzas as stream elements. Especially in cases
like MUC where a single stanza is broadcast to many recipients.
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/mod_websocket.lua | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua index b4aba338..686a8981 100644 --- a/plugins/mod_websocket.lua +++ b/plugins/mod_websocket.lua @@ -285,6 +285,7 @@ function handle_request(event) end); add_filter(session, "stanzas/out", function(stanza) + stanza = st.clone(stanza); local attr = stanza.attr; attr.xmlns = attr.xmlns or xmlns_client; if stanza.name:find("^stream:") then |