libervia-pubsub: sat_pubsub/delegation.py comparison

comparison sat_pubsub/delegation.py @ 310:e6a9a3c93314

delegation: fixed bad security check which was rejecting all delegations from external servers: A hack is used to check delegation origin, but a better solution need to be implemented in the future. A list of trusted servers seems an acceptable solution.

author	Goffi <goffi@goffi.org>
date	Mon, 21 Dec 2015 13:44:21 +0100
parents	6918a0dad359
children	5d7c3787672e

comparison

equal deleted inserted replaced

-:890b24b37b56
+:e6a9a3c93314
 def onForward(self, iq):
 """Manage forwarded iq
 @param iq(domish.Element): full delegation stanza
 """
+# FIXME: we use a hack supposing that our delegation come from hostname
+#        and we are a component named [name].hostname
+#        but we need to manage properly allowed servers
+# TODO: do proper origin security check
+_, allowed = iq['to'].split('.', 1)
+if jid.JID(iq['from']) != jid.JID(allowed):
+log.msg((u"SECURITY WARNING: forwarded stanza doesn't come from our server: {}"
+.format(iq.toXml())).encode('utf-8'))
+raise error.StanzaError('not-allowed')
 try:
 fwd_iq = (iq.elements(DELEGATION_NS, 'delegation').next()
 .elements(FORWARDED_NS, 'forwarded').next()
 .elements('jabber:client', 'iq').next())
 except StopIteration:
 raise error.StanzaError('not-acceptable')
 managed_entity = jid.JID(fwd_iq['from'])
-if managed_entity.host != iq['from']:
-log.msg((u"SECURITY WARNING: forwarded stanza doesn't come from the emitting server: {}"
-.format(iq.toXml())).encode('utf-8'))
-raise error.StanzaError('not-allowed')
 self._current_iqs[fwd_iq['id']] = (iq, managed_entity)
 fwd_iq.delegated = True
 # we need a recipient in pubsub request for PEP

Mercurial > libervia-pubsub

comparison sat_pubsub/delegation.py @ 310:e6a9a3c93314