From 4822d4dce7c8110c76dece28ccc2b3dd98698b97 Mon Sep 17 00:00:00 2001 From: Daniel Gultsch Date: Sat, 3 May 2014 17:07:37 +0200 Subject: [PATCH] allow roster pushes only from bare jid or null --- .../conversations/services/XmppConnectionService.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/eu/siacs/conversations/services/XmppConnectionService.java b/src/eu/siacs/conversations/services/XmppConnectionService.java index 70d5fc03a..d554c5041 100644 --- a/src/eu/siacs/conversations/services/XmppConnectionService.java +++ b/src/eu/siacs/conversations/services/XmppConnectionService.java @@ -377,12 +377,14 @@ public class XmppConnectionService extends Service { @Override public void onIqPacketReceived(Account account, IqPacket packet) { - if (packet.hasChild("query")) { - Element query = packet.findChild("query"); - String xmlns = query.getAttribute("xmlns"); - if ((xmlns != null) && (xmlns.equals("jabber:iq:roster"))) { + if (packet.hasChild("query","jabber:iq:roster")) { + String from = packet.getFrom(); + if ((from==null)||(from.equals(account.getJid()))) { + Element query = packet.findChild("query"); processRosterItems(account, query); mergePhoneContactsWithRoster(null); + } else { + Log.d(LOGTAG,"unauthorized roster push from: "+from); } } else if (packet .hasChild("open", "http://jabber.org/protocol/ibb")