#1055 <delay/> elements on MUC messages are not discarded if their @from matches the MUC JID
What steps will reproduce the problem?
1. Join a MUC email@example.com
2. Send a message to the MUC with a <delay from="firstname.lastname@example.org" stamp="2017-01-01T01:01:00" reason="spoofed!"/>
What is the expected output?
The reflected message should not contain the <delay/> element, or it should contain a timestamp checked and enforced by the MUC service.
What do you see instead?
The reflected message contains the <delay/> element unaltered.
What version of the product are you using? On what operating system?
Please provide any additional information below.
During history replay, prosody will add a second <delay/> element. Which one wins will depend on the client implementation, so there’s a chance that this can also be used to spoof history.
Thanks for the report. Reviewing the patch you sent.