mod_{bosh/c2s}: last minute corrections. (Fixes #374)

maranda · Jun 2, 2018 · a6e018f · a6e018f
1 parent 0909927
commit a6e018f
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 7 deletions.
diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
@@ -18,6 +18,7 @@ local fire_event = metronome.events.fire_event;
 local st = require "util.stanza";
 local logger = require "util.logger";
 local log = logger.init("mod_bosh");
+local nameprep = require "util.encodings".stringprep.nameprep;
 local math_min = math.min;
 
 local initialize_filters = require "util.filters".initialize;
@@ -233,12 +234,13 @@ function stream_callbacks.streamopened(context, attr)
 	if not sid then
 		context.notopen = nil; -- Signals that we accept this opening tag
 
-		if not hosts[attr.to] then
+		local normalized_to, rid, wait = nameprep(attr.to), tonumber(attr.rid), tonumber(attr.wait);
+		if not hosts[normalized_to] then
 			log("debug", "BOSH client tried to connect to unknown host: %s", tostring(attr.to));
 			response:send(tostring(st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",
 				["xmlns:stream"] = xmlns_streams, condition = "host-unknown" })));
 			return false;
-		elseif hosts[attr.to].type == "component" then
+		elseif hosts[normalized_to].type == "component" then
 			log("debug", "BOSH client tried to connect to a component host: %s", tostring(attr.to));
 			local reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",
 				["xmlns:stream"] = xmlns_streams, condition = "remote-stream-error" })
@@ -248,11 +250,17 @@ function stream_callbacks.streamopened(context, attr)
 			response:send(tostring(reply));
 			return false;
 		end
+		if not rid or (not wait and attr.wait or wait < 0) then
+			log("debug", "BOSH client sent invalid rid or wait attributes: rid - %s, wait - %s", tostring(attr.rid), tostring(attr.wait));
+			response:send(tostring(st.stanza("body", { xmlns = xmlns_bosh, type = "terminate",
+				["xmlns:stream"] = xmlns_streams, condition = "bad-request" })));
+			return false;			
+		end
 
 		sid = new_uuid();
 		local session = {
-			type = "c2s_unauthed", conn = {}, sid = sid, rid = tonumber(attr.rid)-1, host = attr.to,
-			bosh_version = attr.ver, bosh_wait = math_min(attr.wait, BOSH_MAX_WAIT), streamid = sid,
+			type = "c2s_unauthed", conn = {}, sid = sid, rid = rid-1, host = normalized_to,
+			bosh_version = attr.ver, bosh_wait = math_min(wait, BOSH_MAX_WAIT), streamid = sid,
 			bosh_hold = BOSH_DEFAULT_HOLD, bosh_max_inactive = BOSH_DEFAULT_INACTIVITY, requests = {},
 			send_buffer = {}, reset_stream = bosh_reset_stream, close = bosh_close_stream,
 			dispatch_stanza = stream_callbacks.handlestanza, notopen = true, log = logger.init("bosh"..sid),

diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua
@@ -40,13 +40,21 @@ local stream_xmlns_attr = {xmlns = "urn:ietf:params:xml:ns:xmpp-streams"};
 local default_stream_attr = { ["xmlns:stream"] = "http://etherx.jabber.org/streams", xmlns = stream_callbacks.default_ns, version = "1.0", id = "" };
 
 function stream_callbacks.streamopened(session, attr)
-	local send = session.send;
-	session.host = nameprep(attr.to);
-	if not session.host then
+	local send, host = session.send, nameprep(attr.to);
+
+	if not host then
 		session:close{ condition = "improper-addressing",
 			text = "A valid 'to' attribute is required on stream headers" };
+		return;		
+	end
+	if host and not session.host then
+		session.host = host;
+	elseif host ~= session.host then
+		session:close{ condition = "not-allowed",
+			text = "The 'to' attribute changed across the stream restart" };
 		return;
 	end
+
 	local session_host = hosts[session.host];
 	session.version = tonumber(attr.version) or 0;
 	session.streamid = uuid_generate();