Check origin of roster pushes
MCabber is vulnerable to roster push attacks as described by Daniel Gultsch
at https://gultsch.de/gajim_roster_push_and_message_interception.html.
This patch should fix the problem by checking the sender of the iq:roster
stanzas.
Thanks to Sam Whited for the report.
--- a/mcabber/mcabber/utils.c Sun Sep 18 17:13:53 2016 +0200
+++ b/mcabber/mcabber/utils.c Mon Nov 21 20:35:28 2016 +0100
@@ -96,6 +96,9 @@
char *ptr;
char *server;
+ if (!username) {
+ return NULL;
+ }
if ((ptr = strchr(username, JID_DOMAIN_SEPARATOR)) != NULL) {
server = g_strdup(ptr+1);
return server;
--- a/mcabber/mcabber/xmpp_iq.c Sun Sep 18 17:13:53 2016 +0200
+++ b/mcabber/mcabber/xmpp_iq.c Mon Nov 21 20:35:28 2016 +0100
@@ -582,6 +582,20 @@
int need_refresh = FALSE;
guint roster_type;
+ const gchar *from = lm_message_get_from(m);
+
+ if (from) {
+ gchar *self_bjid = jidtodisp(lm_connection_get_jid(c));
+ gchar *servername = get_servername(self_bjid, "");
+ if ((!jid_equal(self_bjid, from)) &&
+ (!servername || strcasecmp(from, servername))) {
+ scr_LogPrint(LPRINT_LOGNORM, "Received invalid roster IQ request");
+ g_free(self_bjid);
+ return LM_HANDLER_RESULT_REMOVE_MESSAGE;
+ }
+ g_free(self_bjid);
+ }
+
y = lm_message_node_find_child(lm_message_node_find_xmlns(m->node, NS_ROSTER),
"item");
for ( ; y; y = y->next) {