pidgin: ac620b61: Perform some sanity checking on inbound ...

Sun Oct 26 13:30:32 EDT 2008

-----------------------------------------------------------------
Revision: ac620b61f3dbe3da2184888eb05a0f637c3cd245
Ancestor: c4db69fe62c1650d1fb404a8bbb12bf47852f70c
Author: datallah at pidgin.im
Date: 2008-10-26T17:23:40
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/ac620b61f3dbe3da2184888eb05a0f637c3cd245

Modified files:
        libpurple/protocols/jabber/iq.c

ChangeLog: 

Perform some sanity checking on inbound IQs and send an error / drop as needed.
This has the effect of preventing us from sending an invalid response when we
get an invalid request (e.g. missing an id).
Fixes #7290.

-------------- next part --------------
============================================================

--- libpurple/protocols/jabber/iq.c	a479d82512a1984842fded29b85ace2d269c2978
+++ libpurple/protocols/jabber/iq.c	f5aad0682a60133a2e72d09670855a31de4ac71a
@@ -105,8 +105,7 @@ void jabber_iq_set_id(JabberIq *iq, cons
 
 void jabber_iq_set_id(JabberIq *iq, const char *id)
 {
-	if(iq->id)
-		g_free(iq->id);
+	g_free(iq->id);
 
 	if(id) {
 		xmlnode_set_attrib(iq->node, "id", id);
@@ -320,9 +319,42 @@ void jabber_iq_parse(JabberStream *js, x
 	from = xmlnode_get_attrib(packet, "from");
 	id = xmlnode_get_attrib(packet, "id");
 
+	if(type == NULL || !(!strcmp(type, "get") || !strcmp(type, "set")
+			|| !strcmp(type, "result") || !strcmp(type, "error"))) {
+		purple_debug_error("jabber", "IQ with invalid type ('%s') - ignoring.\n",
+						   type ? type : "(null)");
+		return;
+	}
+
+	/* All IQs must have an ID, so send an error for a set/get that doesn't */
+	if(!id || !*id) {
+
+		if(!strcmp(type, "set") || !strcmp(type, "get")) {
+			JabberIq *iq = jabber_iq_new(js, JABBER_IQ_ERROR);
+
+			xmlnode_free(iq->node);
+			iq->node = xmlnode_copy(packet);
+			xmlnode_set_attrib(iq->node, "to", from);
+			xmlnode_remove_attrib(iq->node, "from");
+			xmlnode_set_attrib(iq->node, "type", "error");
+			/* This id is clearly not useful, but we must put something there for a valid stanza */
+			iq->id = jabber_get_next_id(js);
+			xmlnode_set_attrib(iq->node, "id", iq->id);
+			error = xmlnode_new_child(iq->node, "error");
+			xmlnode_set_attrib(error, "type", "modify");
+			x = xmlnode_new_child(error, "bad-request");
+			xmlnode_set_namespace(x, "urn:ietf:params:xml:ns:xmpp-stanzas");
+
+			jabber_iq_send(iq);
+		} else
+			purple_debug_error("jabber", "IQ of type '%s' missing id - ignoring.\n", type);
+
+		return;
+	}
+
 	/* First, lets see if a special callback got registered */
 
-	if(type && (!strcmp(type, "result") || !strcmp(type, "error"))) {
+	if(!strcmp(type, "result") || !strcmp(type, "error")) {
 		if(id && *id && (jcd = g_hash_table_lookup(js->iq_callbacks, id))) {
 			jcd->callback(js, packet, jcd->data);
 			jabber_iq_remove_callback_by_id(js, id);
@@ -332,7 +364,7 @@ void jabber_iq_parse(JabberStream *js, x
 
 	/* Apparently not, so lets see if we have a pre-defined handler */
 
-	if(type && query && (xmlns = xmlnode_get_namespace(query))) {
+	if(query && (xmlns = xmlnode_get_namespace(query))) {
 		if((jih = g_hash_table_lookup(iq_handlers, xmlns))) {
 			jih(js, packet);
 			return;
@@ -348,7 +380,7 @@ void jabber_iq_parse(JabberStream *js, x
 		jabber_gmail_poke(js, packet);
 		return;
 	}
-	
+
 	purple_debug_info("jabber", "jabber_iq_parse\n");
 
 	if(xmlnode_get_child_with_namespace(packet, "ping", "urn:xmpp:ping")) {
@@ -362,7 +394,7 @@ void jabber_iq_parse(JabberStream *js, x
 	}
 
 	/* If we get here, send the default error reply mandated by XMPP-CORE */
-	if(type && (!strcmp(type, "set") || !strcmp(type, "get"))) {
+	if(!strcmp(type, "set") || !strcmp(type, "get")) {
 		JabberIq *iq = jabber_iq_new(js, JABBER_IQ_ERROR);
 
 		xmlnode_free(iq->node);
