Mercurial > pidgin
comparison libpurple/protocols/jabber/adhoccommands.c @ 17884:feac55968392
Now all ad-hoc commands have to be sent through jabber_adhoc_execute to be properly executed (including the form steps). This cleans up the code a bit, and avoids DOS attacks by flooding the client with malicious ad-hoc command forms that were not requested.
| author | Andreas Monitzer <pidgin@monitzer.com> |
|---|---|
| date | Mon, 25 Jun 2007 20:07:31 +0000 |
| parents | 9a19c46adf66 |
| children | 49fe31a64716 |
comparison
equal
deleted
inserted
replaced
| 17883:9a19c46adf66 | 17884:feac55968392 |
|---|---|
| 120 g_free(actionInfo->node); | 120 g_free(actionInfo->node); |
| 121 | 121 |
| 122 jabber_iq_send(iq); | 122 jabber_iq_send(iq); |
| 123 } | 123 } |
| 124 | 124 |
| 125 void jabber_adhoc_parse(JabberStream *js, xmlnode *packet) { | 125 static void jabber_adhoc_parse(JabberStream *js, xmlnode *packet, gpointer data) { |
| 126 xmlnode *command = xmlnode_get_child_with_namespace(packet, "command", "http://jabber.org/protocol/commands"); | 126 xmlnode *command = xmlnode_get_child_with_namespace(packet, "command", "http://jabber.org/protocol/commands"); |
| 127 const char *status = xmlnode_get_attrib(command,"status"); | 127 const char *status = xmlnode_get_attrib(command,"status"); |
| 128 xmlnode *xdata = xmlnode_get_child_with_namespace(command,"x","jabber:x:data"); | 128 xmlnode *xdata = xmlnode_get_child_with_namespace(command,"x","jabber:x:data"); |
| 129 | 129 |
| 130 if(!status) | 130 if(!status) |
| 179 | 179 |
| 180 jabber_x_data_request_with_actions(js,xdata,actionslist,actionindex,do_adhoc_action_cb,actionInfo); | 180 jabber_x_data_request_with_actions(js,xdata,actionslist,actionindex,do_adhoc_action_cb,actionInfo); |
| 181 } | 181 } |
| 182 } | 182 } |
| 183 | 183 |
| 184 void jabber_adhoc_execute(PurpleBlistNode *node, gpointer data) { | 184 void jabber_adhoc_execute_action(PurpleBlistNode *node, gpointer data) { |
| 185 if (PURPLE_BLIST_NODE_IS_BUDDY(node)) { | 185 if (PURPLE_BLIST_NODE_IS_BUDDY(node)) { |
| 186 JabberAdHocCommands *cmd = data; | 186 JabberAdHocCommands *cmd = data; |
| 187 PurpleBuddy *buddy = (PurpleBuddy *) node; | 187 PurpleBuddy *buddy = (PurpleBuddy *) node; |
| 188 JabberStream *js = purple_account_get_connection(buddy->account)->proto_data; | 188 JabberStream *js = purple_account_get_connection(buddy->account)->proto_data; |
| 189 JabberIq *iq = jabber_iq_new(js, JABBER_IQ_SET); | 189 |
| 190 xmlnode *command = xmlnode_new_child(iq->node,"command"); | 190 jabber_adhoc_execute(js, cmd); |
| 191 xmlnode_set_attrib(iq->node,"to",cmd->jid); | |
| 192 xmlnode_set_namespace(command,"http://jabber.org/protocol/commands"); | |
| 193 xmlnode_set_attrib(command,"node",cmd->node); | |
| 194 xmlnode_set_attrib(command,"action","execute"); | |
| 195 | |
| 196 /* we don't need to set a callback, since jabber_adhoc_parse is run for all replies */ | |
| 197 | |
| 198 jabber_iq_send(iq); | |
| 199 } | 191 } |
| 200 } | 192 } |
| 201 | 193 |
| 202 static void jabber_adhoc_server_got_list_cb(JabberStream *js, xmlnode *packet, gpointer data) { | 194 static void jabber_adhoc_server_got_list_cb(JabberStream *js, xmlnode *packet, gpointer data) { |
| 203 xmlnode *query = xmlnode_get_child_with_namespace(packet, "query", "http://jabber.org/protocol/disco#items"); | 195 xmlnode *query = xmlnode_get_child_with_namespace(packet, "query", "http://jabber.org/protocol/disco#items"); |
| 241 | 233 |
| 242 jabber_iq_set_callback(iq,jabber_adhoc_server_got_list_cb,NULL); | 234 jabber_iq_set_callback(iq,jabber_adhoc_server_got_list_cb,NULL); |
| 243 jabber_iq_send(iq); | 235 jabber_iq_send(iq); |
| 244 } | 236 } |
| 245 | 237 |
| 238 void jabber_adhoc_execute(JabberStream *js, JabberAdHocCommands *cmd) { | |
| 239 JabberIq *iq = jabber_iq_new(js, JABBER_IQ_SET); | |
| 240 xmlnode *command = xmlnode_new_child(iq->node,"command"); | |
| 241 xmlnode_set_attrib(iq->node,"to",cmd->jid); | |
| 242 xmlnode_set_namespace(command,"http://jabber.org/protocol/commands"); | |
| 243 xmlnode_set_attrib(command,"node",cmd->node); | |
| 244 xmlnode_set_attrib(command,"action","execute"); | |
| 245 | |
| 246 jabber_iq_set_callback(iq,jabber_adhoc_parse,NULL); | |
| 247 | |
| 248 jabber_iq_send(iq); | |
| 249 } | |
| 250 | |
| 246 void jabber_adhoc_server_execute(PurplePluginAction *action) { | 251 void jabber_adhoc_server_execute(PurplePluginAction *action) { |
| 247 JabberAdHocCommands *cmd = action->user_data; | 252 JabberAdHocCommands *cmd = action->user_data; |
| 248 if(cmd) { | 253 if(cmd) { |
| 249 PurpleConnection *gc = (PurpleConnection *) action->context; | 254 PurpleConnection *gc = (PurpleConnection *) action->context; |
| 250 JabberStream *js = gc->proto_data; | 255 JabberStream *js = gc->proto_data; |
| 251 | 256 |
| 252 JabberIq *iq = jabber_iq_new(js, JABBER_IQ_SET); | 257 jabber_adhoc_execute(js, cmd); |
| 253 xmlnode *command = xmlnode_new_child(iq->node,"command"); | |
| 254 xmlnode_set_attrib(iq->node,"to",cmd->jid); | |
| 255 xmlnode_set_namespace(command,"http://jabber.org/protocol/commands"); | |
| 256 xmlnode_set_attrib(command,"node",cmd->node); | |
| 257 xmlnode_set_attrib(command,"action","execute"); | |
| 258 | |
| 259 /* we don't need to set a callback, since jabber_adhoc_parse is run for all replies */ | |
| 260 | |
| 261 jabber_iq_send(iq); | |
| 262 } | 258 } |
| 263 } | 259 } |
| 264 | 260 |
| 265 void jabber_adhoc_init_server_commands(JabberStream *js, GList **m) { | 261 void jabber_adhoc_init_server_commands(JabberStream *js, GList **m) { |
| 266 GList *cmdlst; | 262 GList *cmdlst; |