#1055 <delay/> elements on MUC messages are not discarded if their @from matches the MUC JID

Reporter Jonas Wielicki
Owner Zash
Created
Updated
Stars ★ (1)  
Tags
  • Security
  • Milestone-0.9
  • Priority-Medium
  • Status-Fixed
  • Type-Defect
  1. Jonas Wielicki on

    What steps will reproduce the problem? 1. Join a MUC foo@chat.domain.example 2. Send a message to the MUC with a <delay from="foo@chat.domain.example" stamp="2017-01-01T01:01:00" reason="spoofed!"/> What is the expected output? The reflected message should not contain the <delay/> element, or it should contain a timestamp checked and enforced by the MUC service. What do you see instead? The reflected message contains the <delay/> element unaltered. What version of the product are you using? On what operating system? 0.9-ish: 5770:7ad9d7c4161c 0.10-ish: 7503:df970f76c720 Please provide any additional information below. During history replay, prosody will add a second <delay/> element. Which one wins will depend on the client implementation, so there’s a chance that this can also be used to spoof history.

  2. Zash on

    Thanks for the report. Reviewing the patch you sent.

    Changes
    • owner Zash
    • tags Priority-High Priority-Medium Status-Accepted
  3. Zash on

    Low-severity issue.

    Changes
    • tags Hidden
  4. Zash on

    Fixed in https://hg.prosody.im/0.9/rev/eb85b10e1fea

    Changes
    • tags Status-Fixed
  5. Zash on

    Changes
    • tags Milestone-0.9

New comment

Not published. Used for spam prevention and optional update notifications.