diff src/plugins/plugin_misc_groupblog.py @ 532:db4ae4d18f09

plugin group blog: security check + fixed publisher in personalEvent signal
author Goffi <goffi@goffi.org>
date Sun, 28 Oct 2012 18:27:37 +0100
parents c18e0e108925
children 07f369ed3988
line wrap: on
line diff
--- a/src/plugins/plugin_misc_groupblog.py	Sun Oct 28 17:59:24 2012 +0100
+++ b/src/plugins/plugin_misc_groupblog.py	Sun Oct 28 18:27:37 2012 +0100
@@ -19,7 +19,7 @@
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 
-from logging import debug, info, error
+from logging import debug, info, warning, error
 from twisted.internet import defer
 from twisted.words.protocols.jabber import jid
 
@@ -151,9 +151,19 @@
     def pubSubItemsReceivedTrigger(self, event, profile):
         """"Trigger which catch groupblogs events"""
         if event.nodeIdentifier.startswith(NS_NODE_PREFIX):
+            publisher = jid.JID(event.nodeIdentifier[len(NS_NODE_PREFIX):])
+            origin_host = publisher.host.split('.')
+            event_host = event.sender.host.split('.')
+            #FIXME: basic origin check, must be improved
+            if (not (origin_host)
+                or len(event_host) < len(origin_host)
+                or event_host[-len(origin_host):] != origin_host):
+                warning("Host incoherence between %s and %s (hack attempt ?)" % (unicode(event.sender),
+                                                                                 unicode(publisher)))
+                return
             for item in event.items:
                 microblog_data = self.host.plugins["XEP-0277"].item2mbdata(item)
-                self.host.bridge.personalEvent(event.sender.full(), "MICROBLOG", microblog_data, profile)
+                self.host.bridge.personalEvent(publisher.full(), "MICROBLOG", microblog_data, profile)
             return False
         return True