Add carbon source verification (CVE-2017-5589)

rufferson · rufferson · commit cb48e5199061 · 2021-04-07T20:21:30.000Z
diff --git a/src/im-factory.c b/src/im-factory.c
@@ -217,6 +217,23 @@ im_factory_message_cb (
   gboolean create_if_missing;
   gboolean sent;
 
+  /* CVE-2017-5589+ verification */
+  if (wocky_node_get_child_ns (wocky_stanza_get_top_node (message), "received", NS_CARBONS)
+      || wocky_node_get_child_ns (wocky_stanza_get_top_node (message), "sent", NS_CARBONS))
+    {
+      if ((from = wocky_stanza_get_from (message)) != NULL)
+        {
+          TpBaseConnection *conn = TP_BASE_CONNECTION (fac->priv->conn);
+          TpHandleRepoIface *handles = tp_base_connection_get_handles (conn,
+              TP_HANDLE_TYPE_CONTACT);
+          TpHandle from_handle = tp_handle_ensure (handles, from, NULL, NULL);
+          TpHandle self_handle = tp_base_connection_get_self_handle (conn);
+
+          if (from_handle != self_handle)
+            return FALSE;
+        }
+    }
+
   if (!gabble_message_util_parse_incoming_message (message, &from, &to, &stamp,
         &msgtype, &id, &body, &state, &send_error, &delivery_status, &delivery_token, &sent))
     return TRUE;
diff --git a/tests/twisted/text/test-carbons.py b/tests/twisted/text/test-carbons.py
@@ -5,7 +5,7 @@
 
 from gabbletest import XmppXmlStream, exec_test, elem, acknowledge_iq
 from servicetest import (EventPattern, wrap_channel, assertEquals, assertLength,
-        assertContains)
+        assertContains, TimeoutError)
 import constants as cs
 
 NS_CARBONS = 'urn:xmpp:carbons:2'
@@ -172,6 +172,25 @@ def test(q, bus, conn, stream):
     assert body['content-type'] == 'text/plain', body
     assert body['content'] == u'goodbye', body
 
+    # Verify source protection
+    msg = elem('message', type='chat', from_='smith@matrix.org/agent712')(
+        elem(NS_CARBONS, 'received')(
+            elem(NS_FORWARD, 'forwarded')(
+                elem('jabber:client','message', id=id, from_='foo@bar.com/Pidgin', type='chat')(
+                    elem('body')('Mr. Anderson!')
+                )
+            )
+        )
+    )
+    stream.send(msg)
+    # This is a nasty test but we need to make sure spoofed message is ignored
+    try:
+        q.timeout = 2
+        message_received = q.expect('dbus-signal', signal='MessageReceived')
+        assert not message_received, message_received.args
+    except TimeoutError as e:
+        pass
+
 
 if __name__ == '__main__':
     exec_test(test, protocol=CarbonStream, params={'message-carbons':True})
