From 7bfb39fe1eb853a95929c16a2692cbb648d7387c Mon Sep 17 00:00:00 2001
From: Linus Jahn <lnj@kaidan.im>
Date: Tue, 14 Mar 2023 23:17:55 +0100
Subject: Client: Don't fill empty 'to' attributes of outgoing IQs

---
 src/base/QXmppStream.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/base/QXmppStream.cpp')

diff --git a/src/base/QXmppStream.cpp b/src/base/QXmppStream.cpp
index 428e8e55..a4921a43 100644
--- a/src/base/QXmppStream.cpp
+++ b/src/base/QXmppStream.cpp
@@ -208,7 +208,7 @@ QXmppTask<QXmpp::SendResult> QXmppStream::send(QXmppPacket &&packet, bool &writt
 ///
 /// \since QXmpp 1.5
 ///
-QXmppTask<QXmppStream::IqResult> QXmppStream::sendIq(QXmppIq &&iq)
+QXmppTask<QXmppStream::IqResult> QXmppStream::sendIq(QXmppIq &&iq, const QString &to)
 {
     using namespace QXmpp;
 
@@ -223,7 +223,7 @@ QXmppTask<QXmppStream::IqResult> QXmppStream::sendIq(QXmppIq &&iq)
         iq.setId(QXmppUtils::generateStanzaUuid());
     }
 
-    return sendIq(QXmppPacket(iq), iq.id(), iq.to());
+    return sendIq(QXmppPacket(iq), iq.id(), to);
 }
 
 ///
-- 
cgit v1.2.3


From 67d75d5adc5915b5fb83fc1578b35724dae6185b Mon Sep 17 00:00:00 2001
From: Melvin Keskin <melvo@olomono.de>
Date: Thu, 16 Mar 2023 21:57:47 +0100
Subject: Stream: IQ handling: Accept responses without 'from' attribute (#556)

See https://xmpp.org/rfcs/rfc6120.html#stanzas-attributes-from-c2s point 3
---
 src/base/QXmppStream.cpp | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'src/base/QXmppStream.cpp')

diff --git a/src/base/QXmppStream.cpp b/src/base/QXmppStream.cpp
index a4921a43..4e7c7276 100644
--- a/src/base/QXmppStream.cpp
+++ b/src/base/QXmppStream.cpp
@@ -481,10 +481,18 @@ bool QXmppStream::handleIqResponse(const QDomElement &stanza)
         return false;
     }
 
-    if (auto itr = d->runningIqs.find(stanza.attribute(QStringLiteral("id")));
+    const auto id = stanza.attribute(QStringLiteral("id"));
+    if (auto itr = d->runningIqs.find(id);
         itr != d->runningIqs.end()) {
-        if (stanza.attribute("from") != itr.value().jid) {
-            warning(QStringLiteral("Received IQ response to one of our requests from wrong sender. Ignoring."));
+        const auto expectedFrom = itr.value().jid;
+        // Check that the sender of the response matches the recipient of the request.
+        // Stanzas coming from the server on behalf of the user's account must have no "from"
+        // attribute or have it set to the user's bare JID.
+        // If 'from' is empty, the IQ has been sent by the server. In this case we don't need to
+        // do the check as we trust the server anyways.
+        if (const auto from = stanza.attribute("from"); !from.isEmpty() && from != expectedFrom) {
+            warning(QStringLiteral("Ignored received IQ response to request '%1' because of wrong sender '%2' instead of expected sender '%3'")
+                        .arg(id, from, expectedFrom));
             return false;
         }
 
-- 
cgit v1.2.3