security check: only server should send the rosterIq

author: Manjeet Dahiya <manjeetdahiya@gmail.com> 2010-09-27 12:58:29 +0000
committer: Manjeet Dahiya <manjeetdahiya@gmail.com> 2010-09-27 12:58:29 +0000
commit: 011e138d64f41bcb3a0834bf3e97d21e968aa3c3 (patch)
tree: 75c19cc44d36392ee5061a187d3bd1230ed98633 /src
parent: c0c4f8e160594de39cefb68b3ed46f86552dcf35 (diff)
download: qxmpp-011e138d64f41bcb3a0834bf3e97d21e968aa3c3.tar.gz
1 files changed, 10 insertions, 2 deletions
diff --git a/src/QXmppRosterManager.cpp b/src/QXmppRosterManager.cpp
index 4ca9f011..ac1ff1d3 100644
--- a/src/QXmppRosterManager.cpp
+++ b/src/QXmppRosterManager.cpp
@@ -77,8 +77,16 @@ bool QXmppRosterManager::handleStanza(QXmppStream *stream, const QDomElement &el
     {
         QXmppRosterIq rosterIq;
         rosterIq.parse(element);
-        rosterIqReceived(rosterIq);
-        return true;
+
+        // Security check: only server should send this iq
+        // from() should be either empty or bareJid of the user
+        QString fromJid = rosterIq.from();
+        if(fromJid.isEmpty() ||
+           fromJid == client()->configuration().jidBare())
+        {
+            rosterIqReceived(rosterIq);
+            return true;
+        }
     }
 
     return false;
author	Manjeet Dahiya <manjeetdahiya@gmail.com>	2010-09-27 12:58:29 +0000
committer	Manjeet Dahiya <manjeetdahiya@gmail.com>	2010-09-27 12:58:29 +0000
commit	011e138d64f41bcb3a0834bf3e97d21e968aa3c3 (patch)
tree	75c19cc44d36392ee5061a187d3bd1230ed98633 /src
parent	c0c4f8e160594de39cefb68b3ed46f86552dcf35 (diff)
download	qxmpp-011e138d64f41bcb3a0834bf3e97d21e968aa3c3.tar.gz