From b430cda5c7c87b20ae26b1d78b61be0ae0013241 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 31 Aug 2021 11:26:42 +0200
Subject: mod_mam: Only check for locally generated stanza-ids

Otherwise a message archived by a remote server would be incorrectly
silently discarded. This should be safe from spoofing thanks to
strip_stanza_id earlier in the event chain.
---
 plugins/mod_mam/mod_mam.lua | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'plugins/mod_mam')

diff --git a/plugins/mod_mam/mod_mam.lua b/plugins/mod_mam/mod_mam.lua
index 671967c3..50401aa1 100644
--- a/plugins/mod_mam/mod_mam.lua
+++ b/plugins/mod_mam/mod_mam.lua
@@ -480,8 +480,11 @@ module:hook("pre-message/full", strip_stanza_id_after_other_events, -1);
 -- which would not be accurate because it has been archived.
 module:hook("message/offline/handle", function(event)
 	local stanza = event.stanza;
-	if stanza:get_child("stanza-id", xmlns_st_id) then
-		return true;
+	local user = event.username .. "@" .. host;
+	for st_id in stanza:childtags("stanza-id", xmlns_st_id) do
+		if st_id.attr.by == user then
+			return true;
+		end
 	end
 end, -2);
 
-- 
cgit v1.2.3