# HG changeset patch
# User Goffi <goffi@goffi.org>
# Date 1351445257 -3600
# Node ID db4ae4d18f09502ba07ecfae112c30346ec7f3c0
# Parent  3bd8f84f920de4018a6f857dc01ee7a311f7877e
plugin group blog: security check + fixed publisher in personalEvent signal

diff -r 3bd8f84f920d -r db4ae4d18f09 src/plugins/plugin_misc_groupblog.py
--- a/src/plugins/plugin_misc_groupblog.py	Sun Oct 28 17:59:24 2012 +0100
+++ b/src/plugins/plugin_misc_groupblog.py	Sun Oct 28 18:27:37 2012 +0100
@@ -19,7 +19,7 @@
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 
-from logging import debug, info, error
+from logging import debug, info, warning, error
 from twisted.internet import defer
 from twisted.words.protocols.jabber import jid
 
@@ -151,9 +151,19 @@
     def pubSubItemsReceivedTrigger(self, event, profile):
         """"Trigger which catch groupblogs events"""
         if event.nodeIdentifier.startswith(NS_NODE_PREFIX):
+            publisher = jid.JID(event.nodeIdentifier[len(NS_NODE_PREFIX):])
+            origin_host = publisher.host.split('.')
+            event_host = event.sender.host.split('.')
+            #FIXME: basic origin check, must be improved
+            if (not (origin_host)
+                or len(event_host) < len(origin_host)
+                or event_host[-len(origin_host):] != origin_host):
+                warning("Host incoherence between %s and %s (hack attempt ?)" % (unicode(event.sender),
+                                                                                 unicode(publisher)))
+                return
             for item in event.items:
                 microblog_data = self.host.plugins["XEP-0277"].item2mbdata(item)
-                self.host.bridge.personalEvent(event.sender.full(), "MICROBLOG", microblog_data, profile)
+                self.host.bridge.personalEvent(publisher.full(), "MICROBLOG", microblog_data, profile)
             return False
         return True