mod_mam: Only check for locally generated stanza-ids Otherwise a message archived by a remote server would be incorrectly silently discarded. This should be safe from spoofing thanks to strip_stanza_id earlier in the event chain.

author: Kim Alvefur <zash@zash.se>
date: Tue, 31 Aug 2021 11:26:42 +0200
parent: 11758:c35b81575d5d
child: 11760:d66738eeb875
--- a/plugins/mod_mam/mod_mam.lua	Tue Aug 31 11:25:23 2021 +0200
+++ b/plugins/mod_mam/mod_mam.lua	Tue Aug 31 11:26:42 2021 +0200
@@ -480,8 +480,11 @@
 -- which would not be accurate because it has been archived.
 module:hook("message/offline/handle", function(event)
 	local stanza = event.stanza;
-	if stanza:get_child("stanza-id", xmlns_st_id) then
-		return true;
+	local user = event.username .. "@" .. host;
+	for st_id in stanza:childtags("stanza-id", xmlns_st_id) do
+		if st_id.attr.by == user then
+			return true;
+		end
 	end
 end, -2);