From 011e138d64f41bcb3a0834bf3e97d21e968aa3c3 Mon Sep 17 00:00:00 2001
From: Manjeet Dahiya <manjeetdahiya@gmail.com>
Date: Mon, 27 Sep 2010 12:58:29 +0000
Subject: security check: only server should send the rosterIq

---
 src/QXmppRosterManager.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/QXmppRosterManager.cpp b/src/QXmppRosterManager.cpp
index 4ca9f011..ac1ff1d3 100644
--- a/src/QXmppRosterManager.cpp
+++ b/src/QXmppRosterManager.cpp
@@ -77,8 +77,16 @@ bool QXmppRosterManager::handleStanza(QXmppStream *stream, const QDomElement &el
     {
         QXmppRosterIq rosterIq;
         rosterIq.parse(element);
-        rosterIqReceived(rosterIq);
-        return true;
+
+        // Security check: only server should send this iq
+        // from() should be either empty or bareJid of the user
+        QString fromJid = rosterIq.from();
+        if(fromJid.isEmpty() ||
+           fromJid == client()->configuration().jidBare())
+        {
+            rosterIqReceived(rosterIq);
+            return true;
+        }
     }
 
     return false;
-- 
cgit v1.2.3