From b433940c1ea9200498017fdf529f395a2a92de1d Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Jul 2017 00:07:34 +0200 Subject: MUC: Reject whitespace-only nicknames (fixes #337) --- plugins/muc/muc.lib.lua | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'plugins') diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua index 8c486b87..e16a43f6 100644 --- a/plugins/muc/muc.lib.lua +++ b/plugins/muc/muc.lib.lua @@ -435,6 +435,13 @@ function room_mt:handle_to_occupant(origin, stanza) -- PM, vCards, etc self._occupants[current_nick].sessions[from] = pr; self:broadcast_presence(pr, from); else -- change nick + -- a MUC service MUST NOT allow empty or invisible Room Nicknames + -- (i.e., Room Nicknames that consist only of one or more space characters). + if not select(3, jid_split(nick)):find("[^ ]") then -- resourceprep turns all whitespace into 0x20 + module:log("debug", "Rejecting invisible nickname"); + origin.send(st.error_reply(stanza, "cancel", "not-allowed")); + return; + end local occupant = self._occupants[current_nick]; local is_multisession = next(occupant.sessions, next(occupant.sessions)); if self._occupants[to] or is_multisession then @@ -467,6 +474,13 @@ function room_mt:handle_to_occupant(origin, stanza) -- PM, vCards, etc -- self:handle_to_occupant(origin, stanza); -- resend available --end else -- enter room + -- a MUC service MUST NOT allow empty or invisible Room Nicknames + -- (i.e., Room Nicknames that consist only of one or more space characters). + if not select(3, jid_split(nick)):find("[^ ]") then -- resourceprep turns all whitespace into 0x20 + module:log("debug", "Rejecting invisible nickname"); + origin.send(st.error_reply(stanza, "cancel", "not-allowed")); + return; + end local new_nick = to; local is_merge; if self._occupants[to] then -- cgit v1.2.3 From 46863c65b32369fc20ba920d46a5f4fd27293ad8 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 27 Jul 2017 14:10:18 +0200 Subject: mod_disco: Advertise in stream-features after auth (probably what was meant in 200f1f6306a7) (fixes #957) --- plugins/mod_disco.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_disco.lua b/plugins/mod_disco.lua index 10eb632d..cd07934f 100644 --- a/plugins/mod_disco.lua +++ b/plugins/mod_disco.lua @@ -148,7 +148,7 @@ end); -- Handle caps stream feature module:hook("stream-features", function (event) - if event.origin.type == "c2s" or event.origin.type == "c2s_unauthed" then + if event.origin.type == "c2s" or event.origin.type == "c2s_unbound" then event.features:add_child(get_server_caps_feature()); end end); -- cgit v1.2.3 From cc8653d31c87dcdf4d140697e87b57ca5130d9d5 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 6 Aug 2017 13:27:47 +0200 Subject: MUC: Use variable that actually exists (thanks Martin) --- plugins/muc/muc.lib.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'plugins') diff --git a/plugins/muc/muc.lib.lua b/plugins/muc/muc.lib.lua index e16a43f6..53b4f682 100644 --- a/plugins/muc/muc.lib.lua +++ b/plugins/muc/muc.lib.lua @@ -437,7 +437,7 @@ function room_mt:handle_to_occupant(origin, stanza) -- PM, vCards, etc else -- change nick -- a MUC service MUST NOT allow empty or invisible Room Nicknames -- (i.e., Room Nicknames that consist only of one or more space characters). - if not select(3, jid_split(nick)):find("[^ ]") then -- resourceprep turns all whitespace into 0x20 + if not select(3, jid_split(to)):find("[^ ]") then -- resourceprep turns all whitespace into 0x20 module:log("debug", "Rejecting invisible nickname"); origin.send(st.error_reply(stanza, "cancel", "not-allowed")); return; @@ -476,7 +476,7 @@ function room_mt:handle_to_occupant(origin, stanza) -- PM, vCards, etc else -- enter room -- a MUC service MUST NOT allow empty or invisible Room Nicknames -- (i.e., Room Nicknames that consist only of one or more space characters). - if not select(3, jid_split(nick)):find("[^ ]") then -- resourceprep turns all whitespace into 0x20 + if not select(3, jid_split(to)):find("[^ ]") then -- resourceprep turns all whitespace into 0x20 module:log("debug", "Rejecting invisible nickname"); origin.send(st.error_reply(stanza, "cancel", "not-allowed")); return; -- cgit v1.2.3 From 73b75571e6546448dac8a67c6c231c14851ccac1 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 28 Jul 2017 13:15:29 +0200 Subject: core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512) --- plugins/mod_admin_adhoc.lua | 2 +- plugins/mod_admin_telnet.lua | 2 +- plugins/mod_auth_internal_hashed.lua | 4 +++- plugins/mod_c2s.lua | 12 ++++++++++++ plugins/mod_register.lua | 2 +- 5 files changed, 18 insertions(+), 4 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_admin_adhoc.lua b/plugins/mod_admin_adhoc.lua index 392e715e..f3de6793 100644 --- a/plugins/mod_admin_adhoc.lua +++ b/plugins/mod_admin_adhoc.lua @@ -97,7 +97,7 @@ local change_user_password_command_handler = adhoc_simple(change_user_password_l if module_host ~= host then return { status = "completed", error = { message = "Trying to change the password of a user on " .. host .. " but command was sent to " .. module_host}}; end - if usermanager_user_exists(username, host) and usermanager_set_password(username, fields.password, host) then + if usermanager_user_exists(username, host) and usermanager_set_password(username, fields.password, host, nil) then return { status = "completed", info = "Password successfully changed" }; else return { status = "completed", error = { message = "User does not exist" } }; diff --git a/plugins/mod_admin_telnet.lua b/plugins/mod_admin_telnet.lua index 293f6320..5c01f8b8 100644 --- a/plugins/mod_admin_telnet.lua +++ b/plugins/mod_admin_telnet.lua @@ -1030,7 +1030,7 @@ function def_env.user:password(jid, password) elseif not um.user_exists(username, host) then return nil, "No such user"; end - local ok, err = um.set_password(username, password, host); + local ok, err = um.set_password(username, password, host, nil); if ok then return true, "User password changed"; else diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index 53e345e5..35764afb 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -120,7 +120,9 @@ function provider.get_sasl_handler() local credentials = accounts:get(username); if not credentials then return; end if credentials.password then - usermanager.set_password(username, credentials.password, host); + if provider.set_password(username, credentials.password) == nil then + return nil, "Auth failed. Could not set hashed password from plaintext."; + end credentials = accounts:get(username); if not credentials then return; end end diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua index cfeb0f0e..fbc22be6 100644 --- a/plugins/mod_c2s.lua +++ b/plugins/mod_c2s.lua @@ -203,6 +203,18 @@ module:hook_global("user-deleted", function(event) end end, 200); +module:hook_global("user-password-changed", function(event) + local username, host, resource = event.username, event.host, event.resource; + local user = hosts[host].sessions[username]; + if user and user.sessions then + for r, session in pairs(user.sessions) do + if r ~= resource then + session:close{ condition = "reset", text = "Password changed" }; + end + end + end +end, 200); + --- Port listener function listener.onconnect(conn) local session = sm_new_session(conn); diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index fd5339d9..832dd991 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -130,7 +130,7 @@ local function handle_registration_stanza(event) local password = query:get_child_text("password"); if username and password then if username == session.username then - if usermanager_set_password(username, password, session.host) then + if usermanager_set_password(username, password, session.host, session.resource) then session.send(st.reply(stanza)); else -- TODO unable to write file, file may be locked, etc, what's the correct error? -- cgit v1.2.3 From 88bd13d98b8220f5136890f69becf8a929ad1e0c Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 25 Jul 2017 22:01:16 +0200 Subject: mod_mam: Clone stanzas before mutating (thanks waqas) (fixes #961) --- plugins/mod_mam/mod_mam.lua | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_mam/mod_mam.lua b/plugins/mod_mam/mod_mam.lua index 1dcce4e4..a86697e8 100644 --- a/plugins/mod_mam/mod_mam.lua +++ b/plugins/mod_mam/mod_mam.lua @@ -243,15 +243,19 @@ local function message_handler(event, c2s) local with = jid_bare(c2s and orig_to or orig_from); -- Filter out that claim to be from us - stanza:maptags(function (tag) - if tag.name == "stanza-id" and tag.attr.xmlns == xmlns_st_id then - local by_user, by_host, res = jid_prepped_split(tag.attr.by); - if not res and by_host == module.host and by_user == store_user then - return nil; + if stanza:get_child("stanza-id", xmlns_st_id) then + stanza = st.clone(stanza); + stanza:maptags(function (tag) + if tag.name == "stanza-id" and tag.attr.xmlns == xmlns_st_id then + local by_user, by_host, res = jid_prepped_split(tag.attr.by); + if not res and by_host == module.host and by_user == store_user then + return nil; + end end - end - return tag; - end); + return tag; + end); + event.stanza = stanza; + end -- We store chat messages or normal messages that have a body if not(orig_type == "chat" or (orig_type == "normal" and stanza:get_child("body")) ) then @@ -268,18 +272,21 @@ local function message_handler(event, c2s) end end + local clone_for_storage; if not strip_tags:empty() then - stanza = st.clone(stanza); - stanza:maptags(function (tag) + clone_for_storage = st.clone(stanza); + clone_for_storage:maptags(function (tag) if strip_tags:contains(tag.attr.xmlns) then return nil; else return tag; end end); - if #stanza.tags == 0 then + if #clone_for_storage.tags == 0 then return; end + else + clone_for_storage = stanza; end -- Check with the users preferences @@ -287,12 +294,14 @@ local function message_handler(event, c2s) log("debug", "Archiving stanza: %s", stanza:top_tag()); -- And stash it - local ok = archive:append(store_user, nil, stanza, time_now(), with); + local ok = archive:append(store_user, nil, clone_for_storage, time_now(), with); if ok then + local clone_for_other_handlers = st.clone(stanza); local id = ok; - event.stanza:tag("stanza-id", { xmlns = xmlns_st_id, by = store_user.."@"..host, id = id }):up(); + clone_for_other_handlers:tag("stanza-id", { xmlns = xmlns_st_id, by = store_user.."@"..host, id = id }):up(); + event.stanza = clone_for_other_handlers; if cleanup then cleanup[store_user] = true; end - module:fire_event("archive-message-added", { origin = origin, stanza = stanza, for_user = store_user, id = id }); + module:fire_event("archive-message-added", { origin = origin, stanza = clone_for_storage, for_user = store_user, id = id }); end else log("debug", "Not archiving stanza: %s (prefs)", stanza:top_tag()); -- cgit v1.2.3 From a15830f3784e1314848f6cea9d2302edb89b4d7b Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 24 Aug 2017 21:51:11 +0200 Subject: mod_register: Add comments saying which section handles password change, account deletion and which is in-band registration --- plugins/mod_register.lua | 2 ++ 1 file changed, 2 insertions(+) (limited to 'plugins') diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index 832dd991..b39ce090 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -91,6 +91,7 @@ module:hook("stream-features", function(event) features:add_child(register_stream_feature); end); +-- Password change and account deletion handler local function handle_registration_stanza(event) local session, stanza = event.origin, event.stanza; local log = session.log or module._log; @@ -207,6 +208,7 @@ local function check_throttle(ip) return throttle:poll(1); end +-- In-band registration module:hook("stanza/iq/jabber:iq:register:query", function(event) local session, stanza = event.origin, event.stanza; local log = session.log or module._log; -- cgit v1.2.3