/pidgin/main: c6926e608dc4: Allow incoming IQ stanzas with an em...

Mark Doliner mark at kingant.net
Sun Jun 22 20:48:43 EDT 2014 

Changeset: c6926e608dc43d5b0a0a3f9e267affe57a3d0eae
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-06-22 17:48 -0700
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/c6926e608dc4

Description:

Allow incoming IQ stanzas with an empty 'from' if they're in response to
an outgoing stanza to our bare or full JID. Patch from Thijs Alkemade
from https://developer.pidgin.im/ticket/15879

Fixes #15879

diffstat:

 libpurple/protocols/jabber/iq.c |  12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diffs (38 lines):

diff --git a/libpurple/protocols/jabber/iq.c b/libpurple/protocols/jabber/iq.c
--- a/libpurple/protocols/jabber/iq.c
+++ b/libpurple/protocols/jabber/iq.c
@@ -290,17 +290,19 @@ void jabber_iq_remove_callback_by_id(Jab
  * be a valid match if any of the following is true:
  * - Request 'to' matches reply 'from' (including the case where
  *   neither are set).
- * - Request 'to' was empty and reply 'from' is server JID.
+ * - Request 'to' was my JID (bare or full) and reply 'from' is empty.
  * - Request 'to' was empty and reply 'from' is my JID. The spec says
  *   we should only allow bare JID, but we also allow full JID for
  *   compatibility with some servers.
+ * - Request 'to' was empty and reply 'from' is server JID. Not allowed by
+ *   any spec, but for compatibility with some servers.
  *
  * These rules should allow valid IQ replies while preventing spoofed
  * ones.
  *
  * For more discussion see the "Spoofing of iq ids and misbehaving
  * servers" email thread from January 2014 on the jdev and security
- * mailing lists.
+ * mailing lists. Also see https://developer.pidgin.im/ticket/15879
  *
  * @return TRUE if this reply is valid for the given request.
  */
@@ -311,6 +313,12 @@ static gboolean does_reply_from_match_re
 		return TRUE;
 	}
 
+	if (!from && purple_strequal(to->node, js->user->node)
+			&& purple_strequal(to->domain, js->user->domain)) {
+		/* Request 'to' was my JID (bare or full) and reply 'from' is empty */
+		return TRUE;
+	}
+
 	if (!to && purple_strequal(from->domain, js->user->domain)) {
 		/* Request 'to' is empty and reply 'from' domain matches our domain */

More information about the Commits mailing list