1 files changed, 10 insertions, 2 deletions

diff --git a/src/QXmppRosterManager.cpp b/src/QXmppRosterManager.cpp
index 4ca9f011..ac1ff1d3 100644
--- a/src/QXmppRosterManager.cpp
+++ b/src/QXmppRosterManager.cpp
@@ -77,8 +77,16 @@ bool QXmppRosterManager::handleStanza(QXmppStream *stream, const QDomElement &el
     {
         QXmppRosterIq rosterIq;
         rosterIq.parse(element);
-        rosterIqReceived(rosterIq);
-        return true;
+
+        // Security check: only server should send this iq
+        // from() should be either empty or bareJid of the user
+        QString fromJid = rosterIq.from();
+        if(fromJid.isEmpty() ||
+           fromJid == client()->configuration().jidBare())
+        {
+            rosterIqReceived(rosterIq);
+            return true;
+        }
     }
 
     return false;