Stream: Add IQ response sender check

Verifies that the sender of the response is correct, so no evil entity can inject responses. Fixes #510.
author: Linus Jahn <lnj@kaidan.im> 2022-12-28 21:58:25 +0100
committer: Linus Jahn <lnj@kaidan.im> 2022-12-28 22:56:35 +0100
commit: 838deb445b615aa06829164deb926ad68a42ae30 (patch)
tree: 267549c891617d9b871ef4a21a77b365c02de7a5 /src/client/QXmppClient.cpp
parent: 3dd4267a5842d5b956dd79633fa2c8b81fb80d53 (diff)
download: qxmpp-838deb445b615aa06829164deb926ad68a42ae30.tar.gz
1 files changed, 7 insertions, 4 deletions
diff --git a/src/client/QXmppClient.cpp b/src/client/QXmppClient.cpp
index 174c4219..a6d55fa8 100644
--- a/src/client/QXmppClient.cpp
+++ b/src/client/QXmppClient.cpp
@@ -517,12 +517,12 @@ QFuture<QXmppClient::IqResult> QXmppClient::sendIq(QXmppIq &&iq, const std::opti
 ///
 QFuture<QXmppClient::IqResult> QXmppClient::sendSensitiveIq(QXmppIq &&iq, const std::optional<QXmppSendStanzaParams> &params)
 {
-    const auto sendEncrypted = [this](QFuture<IqEncryptResult> &&future, const QString &id) {
+    const auto sendEncrypted = [this](QFuture<IqEncryptResult> &&future, const QString &id, const QString &to) {
         QFutureInterface<IqResult> interface(QFutureInterfaceBase::Started);
-        await(future, this, [this, interface, id](IqEncryptResult result) mutable {
+        await(future, this, [this, interface, id, to](IqEncryptResult result) mutable {
             if (const auto *xml = std::get_if<QByteArray>(&result)) {
                 // encrypted successfully
-                auto future = d->stream->sendIq(QXmppPacket(*xml, true), id);
+                auto future = d->stream->QXmppStream::sendIq(QXmppPacket(*xml, true), id, to);
                 await(future, this, [this, interface](QXmppStream::IqResult result) mutable {
                     if (const auto encryptedDom = std::get_if<QDomElement>(&result)) {
                         if (!isIqResponse(*encryptedDom)) {
@@ -571,10 +571,13 @@ QFuture<QXmppClient::IqResult> QXmppClient::sendSensitiveIq(QXmppIq &&iq, const
     if (iq.id().isEmpty() || d->stream->hasIqId(iq.id())) {
         iq.setId(QXmppUtils::generateStanzaUuid());
     }
+    if (iq.to().isEmpty()) {
+        iq.setTo(d->stream->configuration().domain());
+    }
 
     if (d->encryptionExtension) {
         const auto id = iq.id();
-        return sendEncrypted(d->encryptionExtension->encryptIq(std::move(iq), params), id);
+        return sendEncrypted(d->encryptionExtension->encryptIq(std::move(iq), params), id, iq.to());
     }
     return d->stream->sendIq(std::move(iq));
 }
author	Linus Jahn <lnj@kaidan.im>	2022-12-28 21:58:25 +0100
committer	Linus Jahn <lnj@kaidan.im>	2022-12-28 22:56:35 +0100
commit	838deb445b615aa06829164deb926ad68a42ae30 (patch)
tree	267549c891617d9b871ef4a21a77b365c02de7a5 /src/client/QXmppClient.cpp
parent	3dd4267a5842d5b956dd79633fa2c8b81fb80d53 (diff)
download	qxmpp-838deb445b615aa06829164deb926ad68a42ae30.tar.gz