prosody
d15cfe8627ad
plugins/mod_bosh.lua
Software / code / prosody
Comparison
plugins/mod_bosh.lua @ 7378:d15cfe8627ad
mod_bosh: Validate 'to' host (see #343)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 19 Apr 2016 12:17:00 +0200 |
| parent | 7377:6c98e783272a |
| child | 7379:250855633092 |
comparison
equal
deleted
inserted
replaced
| 7377:6c98e783272a | 7378:d15cfe8627ad |
|---|---|
| 19 local log = logger.init("mod_bosh"); | 19 local log = logger.init("mod_bosh"); |
| 20 local initialize_filters = require "util.filters".initialize; | 20 local initialize_filters = require "util.filters".initialize; |
| 21 local math_min = math.min; | 21 local math_min = math.min; |
| 22 local xpcall, tostring, type = xpcall, tostring, type; | 22 local xpcall, tostring, type = xpcall, tostring, type; |
| 23 local traceback = debug.traceback; | 23 local traceback = debug.traceback; |
| 24 local nameprep = require "util.encodings".stringprep.nameprep; | |
| 24 | 25 |
| 25 local xmlns_streams = "http://etherx.jabber.org/streams"; | 26 local xmlns_streams = "http://etherx.jabber.org/streams"; |
| 26 local xmlns_xmpp_streams = "urn:ietf:params:xml:ns:xmpp-streams"; | 27 local xmlns_xmpp_streams = "urn:ietf:params:xml:ns:xmpp-streams"; |
| 27 local xmlns_bosh = "http://jabber.org/protocol/httpbind"; -- (hard-coded into a literal in session.send) | 28 local xmlns_bosh = "http://jabber.org/protocol/httpbind"; -- (hard-coded into a literal in session.send) |
| 28 | 29 |
| 242 if not sid then | 243 if not sid then |
| 243 -- New session request | 244 -- New session request |
| 244 context.notopen = nil; -- Signals that we accept this opening tag | 245 context.notopen = nil; -- Signals that we accept this opening tag |
| 245 | 246 |
| 246 -- TODO: Sanity checks here (rid, to, known host, etc.) | 247 -- TODO: Sanity checks here (rid, to, known host, etc.) |
| 247 if not hosts[attr.to] then | 248 local to_host = nameprep(attr.to); |
| 249 if not to_host then | |
| 250 log("debug", "BOSH client tried to connect to invalid host: %s", tostring(attr.to)); | |
| 251 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", | |
| 252 ["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" }); | |
| 253 response:send(tostring(close_reply)); | |
| 254 return; | |
| 255 elseif not hosts[to_host] then | |
| 248 -- Unknown host | 256 -- Unknown host |
| 249 log("debug", "BOSH client tried to connect to unknown host: %s", tostring(attr.to)); | 257 log("debug", "BOSH client tried to connect to unknown host: %s", tostring(attr.to)); |
| 250 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", | 258 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", |
| 251 ["xmlns:stream"] = xmlns_streams, condition = "host-unknown" }); | 259 ["xmlns:stream"] = xmlns_streams, condition = "host-unknown" }); |
| 252 response:send(tostring(close_reply)); | 260 response:send(tostring(close_reply)); |
