Mercurial > libervia-pubsub
diff sat_pubsub/delegation.py @ 310:e6a9a3c93314
delegation: fixed bad security check which was rejecting all delegations from external servers:
A hack is used to check delegation origin, but a better solution need to be implemented in the future. A list of trusted servers seems an acceptable solution.
author | Goffi <goffi@goffi.org> |
---|---|
date | Mon, 21 Dec 2015 13:44:21 +0100 |
parents | 6918a0dad359 |
children | 5d7c3787672e |
line wrap: on
line diff
--- a/sat_pubsub/delegation.py Mon Dec 21 13:41:15 2015 +0100 +++ b/sat_pubsub/delegation.py Mon Dec 21 13:44:21 2015 +0100 @@ -173,6 +173,17 @@ @param iq(domish.Element): full delegation stanza """ + + # FIXME: we use a hack supposing that our delegation come from hostname + # and we are a component named [name].hostname + # but we need to manage properly allowed servers + # TODO: do proper origin security check + _, allowed = iq['to'].split('.', 1) + if jid.JID(iq['from']) != jid.JID(allowed): + log.msg((u"SECURITY WARNING: forwarded stanza doesn't come from our server: {}" + .format(iq.toXml())).encode('utf-8')) + raise error.StanzaError('not-allowed') + try: fwd_iq = (iq.elements(DELEGATION_NS, 'delegation').next() .elements(FORWARDED_NS, 'forwarded').next() @@ -182,11 +193,6 @@ managed_entity = jid.JID(fwd_iq['from']) - if managed_entity.host != iq['from']: - log.msg((u"SECURITY WARNING: forwarded stanza doesn't come from the emitting server: {}" - .format(iq.toXml())).encode('utf-8')) - raise error.StanzaError('not-allowed') - self._current_iqs[fwd_iq['id']] = (iq, managed_entity) fwd_iq.delegated = True