# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1577140245 -3600
# Node ID cfc05e46b97906e08f38397fd5c559e086adfc6f
# Parent  40c2500208f47478e49de1d407cfadc22e0ee07c
mod_mam: More careful validation of MAM query form

Adapted from mod_muc_mam

diff -r 40c2500208f4 -r cfc05e46b979 plugins/mod_mam/mod_mam.lua
--- a/plugins/mod_mam/mod_mam.lua	Mon Dec 23 23:28:44 2019 +0100
+++ b/plugins/mod_mam/mod_mam.lua	Mon Dec 23 23:30:45 2019 +0100
@@ -25,6 +25,7 @@
 local jid_split = require "util.jid".split;
 local jid_prepped_split = require "util.jid".prepped_split;
 local dataform = require "util.dataforms".new;
+local get_form_type = require "util.dataforms".get_type;
 local host = module.host;
 
 local rm_load_roster = require "core.rostermanager".load_roster;
@@ -101,7 +102,14 @@
 	local qwith, qstart, qend;
 	local form = query:get_child("x", "jabber:x:data");
 	if form then
-		local err;
+		local form_type, err = get_form_type(form);
+		if not form_type then
+			origin.send(st.error_reply(stanza, "modify", "bad-request", "Invalid dataform: "..err));
+			return true;
+		elseif form_type ~= xmlns_mam then
+			origin.send(st.error_reply(stanza, "modify", "bad-request", "Unexpected FORM_TYPE, expected '"..xmlns_mam.."'"));
+			return true;
+		end
 		form, err = query_form:data(form);
 		if err then
 			origin.send(st.error_reply(stanza, "modify", "bad-request", select(2, next(err))));