From e73120d4ab5b1a93c6ad051ff6807af02cd8a039 Mon Sep 17 00:00:00 2001
From: Linus Jahn <lnj@kaidan.im>
Date: Sun, 19 Jul 2020 13:50:13 +0200
Subject: QXmppCarbonManager: Fix vulnerability: Add sender check

The XEP requires that only carbon messages from the client's bare JID
are accepted. This prevents that other entities can inject messages into
the client.
---
 src/client/QXmppCarbonManager.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/client/QXmppCarbonManager.cpp')

diff --git a/src/client/QXmppCarbonManager.cpp b/src/client/QXmppCarbonManager.cpp
index d403e6de..e936ddf2 100644
--- a/src/client/QXmppCarbonManager.cpp
+++ b/src/client/QXmppCarbonManager.cpp
@@ -93,6 +93,12 @@ bool QXmppCarbonManager::handleStanza(const QDomElement &element)
     if (carbon.isNull() || carbon.namespaceURI() != ns_carbons)
         return false;  // Neither sent nor received -> no carbon message
 
+    // carbon copies must always come from our bare JID
+    if (element.attribute("from") != client()->configuration().jidBare()) {
+        info("Received carbon copy from possible attacker trying to use CVE-2017-5603.");
+        return false;
+    }
+
     QDomElement forwarded = carbon.firstChildElement("forwarded");
     if (forwarded.isNull())
         return false;
-- 
cgit v1.2.3