Check origin of roster pushes

slixmpp is vulnerable to roster push attacks as described by Daniel Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html. (CVE-2015-8688)
2016-11-21 21:42:51 +01:00 · 2016-11-21 21:42:51 +01:00 · ffdb6ffd69
commit ffdb6ffd69
parent 7560db856b
1 changed files with 6 additions and 1 deletions
--- a/slixmpp/clientxmpp.py
+++ b/slixmpp/clientxmpp.py
@ -108,10 +108,15 @@ class ClientXMPP(BaseXMPP):
                CoroutineCallback('Stream Features',
                     MatchXPath('{%s}features' % self.stream_ns),
                     self._handle_stream_features))
+        def roster_push_filter(iq):
+            from_ = iq['from']
+            if from_ and from_ != self.boundjid.bare:
+                return
+            self.event('roster_update', iq)
        self.register_handler(
                Callback('Roster Update',
                         StanzaPath('iq@type=set/roster'),
-                         lambda iq: self.event('roster_update', iq)))
+                         roster_push_filter))

        # Setup default stream features
        self.register_plugin('feature_starttls')