From 772dcf4e2b4d97bd5a51a9886f974e8ca10935aa Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 19 Apr 2016 12:17:00 +0200 Subject: mod_bosh: Validate 'to' host (see #343) --- plugins/mod_bosh.lua | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua index 64d52f91..f2cfb44a 100644 --- a/plugins/mod_bosh.lua +++ b/plugins/mod_bosh.lua @@ -21,6 +21,7 @@ local initialize_filters = require "util.filters".initialize; local math_min = math.min; local xpcall, tostring, type = xpcall, tostring, type; local traceback = debug.traceback; +local nameprep = require "util.encodings".stringprep.nameprep; local xmlns_streams = "http://etherx.jabber.org/streams"; local xmlns_xmpp_streams = "urn:ietf:params:xml:ns:xmpp-streams"; @@ -244,7 +245,14 @@ function stream_callbacks.streamopened(context, attr) context.notopen = nil; -- Signals that we accept this opening tag -- TODO: Sanity checks here (rid, to, known host, etc.) - if not hosts[attr.to] then + local to_host = nameprep(attr.to); + if not to_host then + log("debug", "BOSH client tried to connect to invalid host: %s", tostring(attr.to)); + local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", + ["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" }); + response:send(tostring(close_reply)); + return; + elseif not hosts[to_host] then -- Unknown host log("debug", "BOSH client tried to connect to unknown host: %s", tostring(attr.to)); local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", -- cgit v1.2.3