From ef623af2f893e5f9c9c1bb1c9c097e566e688ebe Mon Sep 17 00:00:00 2001 From: Dunedan Date: Tue, 13 Aug 2024 04:59:38 +0000 Subject: [PATCH] Check for source of XMPP stanzas Up to now Pyrogenesis didn't check if lobby related XMPP stanzas were sent by the lobby bots. This meant that every user could send forged data, like the list of games, to be displayed by another user. This change fixes that by checking such stanzas come from the expected lobby bots. Patch by: @Dunedan Accepted by: @Stan Differential Revision: https://code.wildfiregames.com/D5216 This was SVN commit r28197. --- source/lobby/XmppClient.cpp | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/source/lobby/XmppClient.cpp b/source/lobby/XmppClient.cpp index ae2ccd2cb6..144b084e79 100644 --- a/source/lobby/XmppClient.cpp +++ b/source/lobby/XmppClient.cpp @@ -867,7 +867,13 @@ bool XmppClient::handleIq(const glooxwrapper::IQ& iq) } if (gq) { - if (iq.from().full() == m_xpartamuppId && gq->m_Command == "register" && g_NetServer && !g_NetServer->GetUseSTUN()) + if (iq.from().full() != m_xpartamuppId) + { + LOGWARNING("XmppClient: Received game list response from unexpected sender: %s", iq.from().full()); + return true; + } + + if (gq->m_Command == "register" && g_NetServer && !g_NetServer->GetUseSTUN()) { if (gq->m_GameList.empty()) { @@ -895,6 +901,12 @@ bool XmppClient::handleIq(const glooxwrapper::IQ& iq) } if (bq) { + if (iq.from().full() != m_echelonId) + { + LOGWARNING("XmppClient: Received board list response from unexpected sender: %s", iq.from().full()); + return true; + } + if (bq->m_Command == "boardlist") { for (const glooxwrapper::Tag* const& t : m_BoardList) @@ -922,6 +934,12 @@ bool XmppClient::handleIq(const glooxwrapper::IQ& iq) } if (pq) { + if (iq.from().full() != m_echelonId) + { + LOGWARNING("XmppClient: Received profile response from unexpected sender: %s", iq.from().full()); + return true; + } + for (const glooxwrapper::Tag* const& t : m_Profile) glooxwrapper::Tag::free(t); m_Profile.clear();