Diff

plugins/mod_bosh.lua @ 7378:d15cfe8627ad

mod_bosh: Validate 'to' host (see #343)
author Kim Alvefur <zash@zash.se>
date Tue, 19 Apr 2016 12:17:00 +0200
parent 7377:6c98e783272a
child 7379:250855633092
line wrap: on
line diff
--- a/plugins/mod_bosh.lua	Tue Apr 19 12:16:17 2016 +0200
+++ b/plugins/mod_bosh.lua	Tue Apr 19 12:17:00 2016 +0200
@@ -21,6 +21,7 @@
 local math_min = math.min;
 local xpcall, tostring, type = xpcall, tostring, type;
 local traceback = debug.traceback;
+local nameprep = require "util.encodings".stringprep.nameprep;
 
 local xmlns_streams = "http://etherx.jabber.org/streams";
 local xmlns_xmpp_streams = "urn:ietf:params:xml:ns:xmpp-streams";
@@ -244,7 +245,14 @@
 		context.notopen = nil; -- Signals that we accept this opening tag
 
 		-- TODO: Sanity checks here (rid, to, known host, etc.)
-		if not hosts[attr.to] then
+		local to_host = nameprep(attr.to);
+		if not to_host then
+			log("debug", "BOSH client tried to connect to invalid host: %s", tostring(attr.to));
+			local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",
+				["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" });
+			response:send(tostring(close_reply));
+			return;
+		elseif not hosts[to_host] then
 			-- Unknown host
 			log("debug", "BOSH client tried to connect to unknown host: %s", tostring(attr.to));
 			local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",