fix security check on incoming XMPP stanzas

4 files changed, 10 insertions, 6 deletions

diff --git a/src/QXmppIncomingServer.cpp b/src/QXmppIncomingServer.cpp
index ea8702e3..5ebaa6ac 100644
--- a/src/QXmppIncomingServer.cpp
+++ b/src/QXmppIncomingServer.cpp
@@ -143,7 +143,10 @@ void QXmppIncomingServer::handleStanza(const QDomElement &stanza)
             emit dialbackRequestReceived(request);
         }
 
-    } else if (!d->authenticated.isEmpty() && stanza.attribute("from").split("@").last() == d->authenticated) {
+    }
+    else if (!d->authenticated.isEmpty() &&
+             jidToDomain(stanza.attribute("from")) == d->authenticated)
+    {
         // relay packets if the remote party is authenticated
         bool handled = false;
         emit elementReceived(stanza, handled);
diff --git a/src/QXmppServer.cpp b/src/QXmppServer.cpp
index 54dcb9bc..74257681 100644
--- a/src/QXmppServer.cpp
+++ b/src/QXmppServer.cpp
@@ -33,11 +33,6 @@
 #include "QXmppServer.h"
 #include "QXmppUtils.h"
 
-static QString jidToDomain(const QString &to)
-{
-    return jidToBareJid(to).split("@").last();
-}
-
 class QXmppServerPrivate
 {
 public:
diff --git a/src/QXmppUtils.cpp b/src/QXmppUtils.cpp
index 33754692..68d88d89 100644
--- a/src/QXmppUtils.cpp
+++ b/src/QXmppUtils.cpp
@@ -146,6 +146,11 @@ QString datetimeToString(const QDateTime &dt)
         return utc.toString("yyyy-MM-ddThh:mm:ssZ");
 }
 
+QString jidToDomain(const QString &jid)
+{
+    return jidToBareJid(jid).split("@").last();
+}
+
 QString jidToResource(const QString& jid)
 {
     const int pos = jid.indexOf(QChar('/'));
diff --git a/src/QXmppUtils.h b/src/QXmppUtils.h
index 3b3326b9..eed2bb7a 100644
--- a/src/QXmppUtils.h
+++ b/src/QXmppUtils.h
@@ -44,6 +44,7 @@ class QStringList;
 QDateTime datetimeFromString(const QString &str);
 QString datetimeToString(const QDateTime &dt);
 
+QString jidToDomain(const QString& jid);
 QString jidToResource(const QString& jid);
 QString jidToBareJid(const QString& jid);