From 838deb445b615aa06829164deb926ad68a42ae30 Mon Sep 17 00:00:00 2001
From: Linus Jahn <lnj@kaidan.im>
Date: Wed, 28 Dec 2022 21:58:25 +0100
Subject: Stream: Add IQ response sender check

Verifies that the sender of the response is correct, so no evil entity
can inject responses.

Fixes #510.
---
 src/client/QXmppOutgoingClient.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src/client/QXmppOutgoingClient.cpp')

diff --git a/src/client/QXmppOutgoingClient.cpp b/src/client/QXmppOutgoingClient.cpp
index 7d1ad6a3..9a8e51b8 100644
--- a/src/client/QXmppOutgoingClient.cpp
+++ b/src/client/QXmppOutgoingClient.cpp
@@ -19,6 +19,7 @@
 
 #include <QCryptographicHash>
 #include <QDnsLookup>
+#include <QFuture>
 #include <QNetworkProxy>
 #include <QSslConfiguration>
 #include <QSslSocket>
@@ -316,6 +317,15 @@ bool QXmppOutgoingClient::isStreamResumed() const
     return d->streamResumed;
 }
 
+QFuture<QXmppStream::IqResult> QXmppOutgoingClient::sendIq(QXmppIq &&iq)
+{
+    // always set a to address (the QXmppStream needs this for matching)
+    if (iq.to().isEmpty()) {
+        iq.setTo(d->config.domain());
+    }
+    return QXmppStream::sendIq(std::move(iq));
+}
+
 void QXmppOutgoingClient::_q_socketDisconnected()
 {
     debug("Socket disconnected");
-- 
cgit v1.2.3