From 27377b993617a2840ef7f97948676c3d4a6b181a Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sat, 23 Mar 2013 23:30:13 +0100 Subject: mod_s2s: Keep the dns answer object around a while so plugins can look at it --- plugins/mod_s2s/s2sout.lib.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_s2s/s2sout.lib.lua b/plugins/mod_s2s/s2sout.lib.lua index 5ebbee8e..f89c5fc4 100644 --- a/plugins/mod_s2s/s2sout.lib.lua +++ b/plugins/mod_s2s/s2sout.lib.lua @@ -90,7 +90,7 @@ function s2sout.attempt_connection(host_session, err) host_session.connecting = nil; if answer and #answer > 0 then log("debug", "%s has SRV records, handling...", to_host); - local srv_hosts = {}; + local srv_hosts = { answer = answer }; host_session.srv_hosts = srv_hosts; for _, record in ipairs(answer) do t_insert(srv_hosts, record.srv); -- cgit v1.2.3 From 82e45d16423dd6543c4c307f65c311545b8895a3 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 25 Mar 2013 08:18:49 +0100 Subject: mod_s2s: session.from_host does not allways exist on incoming connections, true and nil or "our hostname" does not evaluate to what we want here --- plugins/mod_s2s/mod_s2s.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index ec969cc3..dc4d727d 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -211,7 +211,7 @@ end --- Helper to check that a session peer's certificate is valid local function check_cert_status(session) - local host = session.direction == "incoming" and session.from_host or session.to_host + local host = session.direction == "outgoing" and session.to_host or session.from_host local conn = session.conn:socket() local cert if conn.getpeercertificate then -- cgit v1.2.3 From 854db75cc239f511d266325edf15bd3182d68519 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 25 Mar 2013 19:08:15 +0100 Subject: mod_s2s: Reset secure flag on new connection attempt --- plugins/mod_s2s/s2sout.lib.lua | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'plugins') diff --git a/plugins/mod_s2s/s2sout.lib.lua b/plugins/mod_s2s/s2sout.lib.lua index f89c5fc4..a22846db 100644 --- a/plugins/mod_s2s/s2sout.lib.lua +++ b/plugins/mod_s2s/s2sout.lib.lua @@ -271,6 +271,10 @@ function s2sout.make_connect(host_session, connect_host, connect_port) local from_host, to_host = host_session.from_host, host_session.to_host; + -- Reset secure flag in case this is another + -- connection attempt after a failed STARTTLS + host_session.secure = nil; + local conn, handler; if connect_host.proto == "IPv4" then conn, handler = socket.tcp(); -- cgit v1.2.3 From e3b9a1075ecd03ef653f0598364e4ec373d66651 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 26 Mar 2013 09:25:20 +0100 Subject: mod_s2s: Prevent traceback when replying to incoming connection to a host we don't serve --- plugins/mod_s2s/mod_s2s.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index dc4d727d..0d552ce8 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -486,7 +486,7 @@ function session_open_stream(session, from, to) from = from, to = to, } local local_host = session.direction == "outgoing" and from or to; - if not local_host or hosts[local_host].modules.dialback then + if not local_host or (hosts[local_host] and hosts[local_host].modules.dialback) then attr["xmlns:db"] = 'jabber:server:dialback'; end -- cgit v1.2.3 From 1ae928562845db6f1ce859ec99691c24122d4600 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 27 Mar 2013 23:09:47 +0100 Subject: mod_s2s: Prevent s2s to and from hosts we serve locally --- plugins/mod_s2s/mod_s2s.lua | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'plugins') diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 0d552ce8..6893d184 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -80,6 +80,10 @@ function route_to_existing_session(event) log("warn", "Attempt to send stanza from %s - a host we don't serve", from_host); return false; end + if hosts[to_host] then + log("warn", "Attempt to route stanza to a remote %s - a host we do serve?!", from_host); + return false; + end local host = hosts[from_host].s2sout[to_host]; if host then -- We have a connection to this host already @@ -188,6 +192,9 @@ function make_authenticated(event) }); end end + if hosts[host] then + session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" }); + end if session.type == "s2sout_unauthed" then session.type = "s2sout"; elseif session.type == "s2sin_unauthed" then @@ -321,6 +328,11 @@ function stream_callbacks.streamopened(session, attr) end end + if hosts[from] then + session:close({ condition = "undefined-condition", text = "Attempt to connect from a host we serve" }); + return; + end + if session.secure and not session.cert_chain_status then if check_cert_status(session) == false then return; -- cgit v1.2.3 From 64440086ea5ee8d2f1726f2101ced46d4f08b929 Mon Sep 17 00:00:00 2001 From: Tobias Markmann Date: Thu, 28 Mar 2013 12:49:19 +0100 Subject: mod_privacy: Drop stanzas of type groupchat, so users aren't kicked from their chatrooms when blocking specific MUC occupants. --- plugins/mod_privacy.lua | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'plugins') diff --git a/plugins/mod_privacy.lua b/plugins/mod_privacy.lua index 7ec94922..dc6b153a 100644 --- a/plugins/mod_privacy.lua +++ b/plugins/mod_privacy.lua @@ -366,6 +366,10 @@ function checkIfNeedToBeBlocked(e, session) end if apply then if block then + -- drop and not bounce groupchat messages, otherwise users will get kicked + if stanza.attr.type == "groupchat" then + return true; + end module:log("debug", "stanza blocked: %s, to: %s, from: %s", tostring(stanza.name), tostring(to), tostring(from)); if stanza.name == "message" then origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); -- cgit v1.2.3