From ffdb6ffd69522bb14760eca196511ac69a158831 Mon Sep 17 00:00:00 2001 From: mathieui Date: Mon, 21 Nov 2016 21:42:51 +0100 Subject: [PATCH] Check origin of roster pushes slixmpp is vulnerable to roster push attacks as described by Daniel Gultsch at https://gultsch.de/gajim_roster_push_and_message_interception.html. (CVE-2015-8688) --- slixmpp/clientxmpp.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/slixmpp/clientxmpp.py b/slixmpp/clientxmpp.py index a4bb9a60..a57546f3 100644 --- a/slixmpp/clientxmpp.py +++ b/slixmpp/clientxmpp.py @@ -108,10 +108,15 @@ class ClientXMPP(BaseXMPP): CoroutineCallback('Stream Features', MatchXPath('{%s}features' % self.stream_ns), self._handle_stream_features)) + def roster_push_filter(iq): + from_ = iq['from'] + if from_ and from_ != self.boundjid.bare: + return + self.event('roster_update', iq) self.register_handler( Callback('Roster Update', StanzaPath('iq@type=set/roster'), - lambda iq: self.event('roster_update', iq))) + roster_push_filter)) # Setup default stream features self.register_plugin('feature_starttls')