# HG changeset patch # User Matthew Wild # Date 1278123805 -3600 # Node ID f4d2de6ac22ecb221c37d4fcb0381dd8ae965ab7 # Parent 4019ad5c61e242dfa1d3905bc60a03b937e13cc8 xmppcomponent_listener: Validate to/from on components, fixes #104 and #162 diff -r 4019ad5c61e2 -r f4d2de6ac22e net/xmppcomponent_listener.lua --- a/net/xmppcomponent_listener.lua Fri Jul 02 19:55:37 2010 +0100 +++ b/net/xmppcomponent_listener.lua Sat Jul 03 03:23:25 2010 +0100 @@ -99,6 +99,27 @@ if not stanza.attr.xmlns and stanza.name == "handshake" then stanza.attr.xmlns = xmlns_component; end + local from = stanza.attr.from; + if from then + if session.component_validate_from then + local _, domain = jid_split(stanza.attr.from); + if domain ~= session.host then + -- Return error + session:close{ + condition = "invalid-from"; + text = "Component tried to send from address <"..tostring(from) + .."> which is not in domain <"..tostring(session.host)..">"; + }; + return; + end + end + else + stanza.attr.from = session.host; + end + if not stanza.attr.to then + session.send(st.error_reply(stanza, "modify", "bad-request", "Components MUST specify a 'to' address on stanzas")); + return; + end return core_process_stanza(session, stanza); end