prosody
65dcc175ef5b
plugins/mod_proxy65.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_proxy65.lua @ 11555:65dcc175ef5b 0.11

mod_proxy65: Restrict access to local c2s connections by default Previously no 'proxy65_acl' option would allow unrestricted access by local or remote JIDs.
author Matthew Wild <mwild1@gmail.com>
date Wed, 12 May 2021 13:59:49 +0100
parent 9645:cc642c9c5ad5
child 11560:3bbb1af92514
comparison
equal deleted inserted replaced
11554:db8e41eb6eff 11555:65dcc175ef5b
92 function module.add_host(module) 92 function module.add_host(module)
93 local host, name = module:get_host(), module:get_option_string("name", "SOCKS5 Bytestreams Service"); 93 local host, name = module:get_host(), module:get_option_string("name", "SOCKS5 Bytestreams Service");
94 94
95 local proxy_address = module:get_option_string("proxy65_address", host); 95 local proxy_address = module:get_option_string("proxy65_address", host);
96 local proxy_acl = module:get_option_array("proxy65_acl"); 96 local proxy_acl = module:get_option_array("proxy65_acl");
97 local proxy_open_access = module:get_option_boolean("proxy65_open_access", false);
97 98
98 -- COMPAT w/pre-0.9 where proxy65_port was specified in the components section of the config 99 -- COMPAT w/pre-0.9 where proxy65_port was specified in the components section of the config
99 local legacy_config = module:get_option_number("proxy65_port"); 100 local legacy_config = module:get_option_number("proxy65_port");
100 if legacy_config then 101 if legacy_config then
101 module:log("warn", "proxy65_port is deprecated, please put proxy65_ports = { %d } into the global section instead", legacy_config); 102 module:log("warn", "proxy65_port is deprecated, please put proxy65_ports = { %d } into the global section instead", legacy_config);
108 module:hook("iq-get/host/http://jabber.org/protocol/bytestreams:query", function(event) 109 module:hook("iq-get/host/http://jabber.org/protocol/bytestreams:query", function(event)
109 local origin, stanza = event.origin, event.stanza; 110 local origin, stanza = event.origin, event.stanza;
110 111
111 -- check ACL 112 -- check ACL
112 -- using 'while' instead of 'if' so we can break out of it 113 -- using 'while' instead of 'if' so we can break out of it
113 while proxy_acl and #proxy_acl > 0 do --luacheck: ignore 512 114 local allow;
115 if proxy_acl and #proxy_acl > 0 then
114 local jid = stanza.attr.from; 116 local jid = stanza.attr.from;
115 local allow;
116 for _, acl in ipairs(proxy_acl) do 117 for _, acl in ipairs(proxy_acl) do
117 if jid_compare(jid, acl) then allow = true; break; end 118 if jid_compare(jid, acl) then
119 allow = true;
120 break;
121 end
118 end 122 end
119 if allow then break; end 123 elseif proxy_open_access or origin.type == "c2s" then
124 allow = true;
125 end
126
127 if not allow then
120 module:log("warn", "Denying use of proxy for %s", tostring(stanza.attr.from)); 128 module:log("warn", "Denying use of proxy for %s", tostring(stanza.attr.from));
121 origin.send(st.error_reply(stanza, "auth", "forbidden")); 129 origin.send(st.error_reply(stanza, "auth", "forbidden"));
122 return true; 130 return true;
123 end 131 end
124 132