# HG changeset patch # User Goffi # Date 1450701861 -3600 # Node ID e6a9a3c93314fc7e0182723fc42c64b9e259f4fa # Parent 890b24b37b5655bb88bedb39d5c95ae10b2e22b3 delegation: fixed bad security check which was rejecting all delegations from external servers: A hack is used to check delegation origin, but a better solution need to be implemented in the future. A list of trusted servers seems an acceptable solution. diff -r 890b24b37b56 -r e6a9a3c93314 sat_pubsub/delegation.py --- a/sat_pubsub/delegation.py Mon Dec 21 13:41:15 2015 +0100 +++ b/sat_pubsub/delegation.py Mon Dec 21 13:44:21 2015 +0100 @@ -173,6 +173,17 @@ @param iq(domish.Element): full delegation stanza """ + + # FIXME: we use a hack supposing that our delegation come from hostname + # and we are a component named [name].hostname + # but we need to manage properly allowed servers + # TODO: do proper origin security check + _, allowed = iq['to'].split('.', 1) + if jid.JID(iq['from']) != jid.JID(allowed): + log.msg((u"SECURITY WARNING: forwarded stanza doesn't come from our server: {}" + .format(iq.toXml())).encode('utf-8')) + raise error.StanzaError('not-allowed') + try: fwd_iq = (iq.elements(DELEGATION_NS, 'delegation').next() .elements(FORWARDED_NS, 'forwarded').next() @@ -182,11 +193,6 @@ managed_entity = jid.JID(fwd_iq['from']) - if managed_entity.host != iq['from']: - log.msg((u"SECURITY WARNING: forwarded stanza doesn't come from the emitting server: {}" - .format(iq.toXml())).encode('utf-8')) - raise error.StanzaError('not-allowed') - self._current_iqs[fwd_iq['id']] = (iq, managed_entity) fwd_iq.delegated = True