From 62eee94e2bc04402be96786a7a83ade4a3728807 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sat, 3 Oct 2020 15:03:09 +0200
Subject: mod_bosh: Ensure that stream is directed to a VirtualHost (fixes
 #425)

---
 plugins/mod_bosh.lua | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'plugins')

diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 7f750613..52168670 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -277,6 +277,22 @@ function stream_callbacks.streamopened(context, attr)
 			return;
 		end
 
+		if not prosody.hosts[to_host] then
+			log("debug", "BOSH client tried to connect to non-existant host: %s", attr.to);
+			local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",
+				["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" });
+			response:send(tostring(close_reply));
+			return;
+		end
+
+		if prosody.hosts[to_host].type ~= "local" then
+			log("debug", "BOSH client tried to connect to %s host: %s", prosody.hosts[to_host].type, attr.to);
+			local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",
+				["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" });
+			response:send(tostring(close_reply));
+			return;
+		end
+
 		local wait = tonumber(attr.wait);
 		if not rid or (not attr.wait or not wait or wait < 0 or wait % 1 ~= 0) then
 			log("debug", "BOSH client sent invalid rid or wait attributes: rid=%s, wait=%s", tostring(attr.rid), tostring(attr.wait));
-- 
cgit v1.2.3