From cfbd9d02e2b70a3c537a18532768d33882d0cd9f Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 27 Mar 2013 23:09:47 +0100
Subject: mod_s2s: Prevent s2s to and from hosts we serve locally

---
 plugins/mod_s2s/mod_s2s.lua | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'plugins/mod_s2s/mod_s2s.lua')

diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 0d552ce8..6893d184 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -80,6 +80,10 @@ function route_to_existing_session(event)
 		log("warn", "Attempt to send stanza from %s - a host we don't serve", from_host);
 		return false;
 	end
+	if hosts[to_host] then
+		log("warn", "Attempt to route stanza to a remote %s - a host we do serve?!", from_host);
+		return false;
+	end
 	local host = hosts[from_host].s2sout[to_host];
 	if host then
 		-- We have a connection to this host already
@@ -188,6 +192,9 @@ function make_authenticated(event)
 			});
 		end
 	end
+	if hosts[host] then
+		session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" });
+	end
 	if session.type == "s2sout_unauthed" then
 		session.type = "s2sout";
 	elseif session.type == "s2sin_unauthed" then
@@ -321,6 +328,11 @@ function stream_callbacks.streamopened(session, attr)
 			end
 		end
 
+		if hosts[from] then
+			session:close({ condition = "undefined-condition", text = "Attempt to connect from a host we serve" });
+			return;
+		end
+
 		if session.secure and not session.cert_chain_status then
 			if check_cert_status(session) == false then
 				return;
-- 
cgit v1.2.3