mod_mam: Only check for locally generated stanza-ids
Otherwise a message archived by a remote server would be incorrectly
silently discarded. This should be safe from spoofing thanks to
strip_stanza_id earlier in the event chain.
--- a/plugins/mod_mam/mod_mam.lua Tue Aug 31 11:25:23 2021 +0200
+++ b/plugins/mod_mam/mod_mam.lua Tue Aug 31 11:26:42 2021 +0200
@@ -480,8 +480,11 @@
-- which would not be accurate because it has been archived.
module:hook("message/offline/handle", function(event)
local stanza = event.stanza;
- if stanza:get_child("stanza-id", xmlns_st_id) then
- return true;
+ local user = event.username .. "@" .. host;
+ for st_id in stanza:childtags("stanza-id", xmlns_st_id) do
+ if st_id.attr.by == user then
+ return true;
+ end
end
end, -2);