allow roster pushes only from bare jid or null

Daniel Gultsch created

Change summary

src/eu/siacs/conversations/services/XmppConnectionService.java | 10 ++-
1 file changed, 6 insertions(+), 4 deletions(-)

Detailed changes

src/eu/siacs/conversations/services/XmppConnectionService.java 🔗

@@ -377,12 +377,14 @@ public class XmppConnectionService extends Service {
 
 		@Override
 		public void onIqPacketReceived(Account account, IqPacket packet) {
-			if (packet.hasChild("query")) {
-				Element query = packet.findChild("query");
-				String xmlns = query.getAttribute("xmlns");
-				if ((xmlns != null) && (xmlns.equals("jabber:iq:roster"))) {
+			if (packet.hasChild("query","jabber:iq:roster")) {
+				String from = packet.getFrom();
+				if ((from==null)||(from.equals(account.getJid()))) {
+					Element query = packet.findChild("query");
 					processRosterItems(account, query);
 					mergePhoneContactsWithRoster(null);
+				} else {
+					Log.d(LOGTAG,"unauthorized roster push from: "+from);
 				}
 			} else if (packet
 					.hasChild("open", "http://jabber.org/protocol/ibb")