mod_cloud_notify: Forbid user from registering their own JID as their push server
--- a/mod_cloud_notify/mod_cloud_notify.lua Thu Aug 15 09:26:02 2019 +0200
+++ b/mod_cloud_notify/mod_cloud_notify.lua Mon Apr 27 23:07:01 2020 +0200
@@ -173,6 +173,11 @@
origin.send(st.error_reply(stanza, "modify", "bad-request", "Missing jid"));
return true;
end
+ if push_jid == stanza.attr.from then
+ origin.log("debug", "Push notification enable request 'jid' field identical to our own");
+ origin.send(st.error_reply(stanza, "modify", "bad-request", "JID must be different from ours"));
+ return true;
+ end
local publish_options = enable:get_child("x", "jabber:x:data");
if not publish_options then
-- Could be intentional