From d915f98800f1740242a56b0c29b129a686fe1c9d Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 29 Aug 2021 23:26:19 +0200
Subject: mod_external_services: Validate required attributes on credentials
 requests

---
 plugins/mod_external_services.lua | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/mod_external_services.lua b/plugins/mod_external_services.lua
index 1a6c80bd..6fafdb1f 100644
--- a/plugins/mod_external_services.lua
+++ b/plugins/mod_external_services.lua
@@ -175,7 +175,7 @@ local function handle_credentials(event)
 	local action = stanza.tags[1];
 
 	if origin.type ~= "c2s" then
-		origin.send(st.error_reply(stanza, "auth", "forbidden"));
+		origin.send(st.error_reply(stanza, "auth", "forbidden", "The 'port' and 'type' attributes are required."));
 		return true;
 	end
 
@@ -188,6 +188,11 @@ local function handle_credentials(event)
 
 	local requested_credentials = {};
 	for service in action:childtags("service") do
+		if not service.attr.type or not service.attr.host then
+			origin.send(st.error_reply(stanza, "modify", "bad-request"));
+			return true;
+		end
+
 		table.insert(requested_credentials, {
 				type = service.attr.type;
 				host = service.attr.host;
-- 
cgit v1.2.3