jshiffer/slixmpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check origin of roster pushes

Browse Source 
slixmpp is vulnerable to roster push attacks as described by Daniel
Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html.

(CVE-2015-8688)
This commit is contained in:
mathieui 2016-11-21 21:42:51 +01:00
parent 7560db856b
commit ffdb6ffd69
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
slixmpp/clientxmpp.py
View File

@ -108,10 +108,15 @@ class ClientXMPP(BaseXMPP):
CoroutineCallback('Stream Features', CoroutineCallback('Stream Features',
MatchXPath('{%s}features' % self.stream_ns), MatchXPath('{%s}features' % self.stream_ns),
self._handle_stream_features)) self._handle_stream_features))
def roster_push_filter(iq):
from_ = iq['from']
if from_ and from_ != self.boundjid.bare:
return
self.event('roster_update', iq)
self.register_handler( self.register_handler(
Callback('Roster Update', Callback('Roster Update',
StanzaPath('iq@type=set/roster'), StanzaPath('iq@type=set/roster'),
lambda iq: self.event('roster_update', iq))) roster_push_filter))
# Setup default stream features # Setup default stream features
self.register_plugin('feature_starttls') self.register_plugin('feature_starttls')