Mercurial > libervia-backend
diff src/plugins/plugin_misc_groupblog.py @ 532:db4ae4d18f09
plugin group blog: security check + fixed publisher in personalEvent signal
author | Goffi <goffi@goffi.org> |
---|---|
date | Sun, 28 Oct 2012 18:27:37 +0100 |
parents | c18e0e108925 |
children | 07f369ed3988 |
line wrap: on
line diff
--- a/src/plugins/plugin_misc_groupblog.py Sun Oct 28 17:59:24 2012 +0100 +++ b/src/plugins/plugin_misc_groupblog.py Sun Oct 28 18:27:37 2012 +0100 @@ -19,7 +19,7 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. """ -from logging import debug, info, error +from logging import debug, info, warning, error from twisted.internet import defer from twisted.words.protocols.jabber import jid @@ -151,9 +151,19 @@ def pubSubItemsReceivedTrigger(self, event, profile): """"Trigger which catch groupblogs events""" if event.nodeIdentifier.startswith(NS_NODE_PREFIX): + publisher = jid.JID(event.nodeIdentifier[len(NS_NODE_PREFIX):]) + origin_host = publisher.host.split('.') + event_host = event.sender.host.split('.') + #FIXME: basic origin check, must be improved + if (not (origin_host) + or len(event_host) < len(origin_host) + or event_host[-len(origin_host):] != origin_host): + warning("Host incoherence between %s and %s (hack attempt ?)" % (unicode(event.sender), + unicode(publisher))) + return for item in event.items: microblog_data = self.host.plugins["XEP-0277"].item2mbdata(item) - self.host.bridge.personalEvent(event.sender.full(), "MICROBLOG", microblog_data, profile) + self.host.bridge.personalEvent(publisher.full(), "MICROBLOG", microblog_data, profile) return False return True