# HG changeset patch # User Andreas Monitzer # Date 1182802051 0 # Node ID feac55968392ccb75ab20624588157248b7004f4 # Parent 9a19c46adf663495efb939ae2e14794de5aea9ac Now all ad-hoc commands have to be sent through jabber_adhoc_execute to be properly executed (including the form steps). This cleans up the code a bit, and avoids DOS attacks by flooding the client with malicious ad-hoc command forms that were not requested. diff -r 9a19c46adf66 -r feac55968392 libpurple/protocols/jabber/adhoccommands.c --- a/libpurple/protocols/jabber/adhoccommands.c Mon Jun 25 19:08:16 2007 +0000 +++ b/libpurple/protocols/jabber/adhoccommands.c Mon Jun 25 20:07:31 2007 +0000 @@ -122,7 +122,7 @@ jabber_iq_send(iq); } -void jabber_adhoc_parse(JabberStream *js, xmlnode *packet) { +static void jabber_adhoc_parse(JabberStream *js, xmlnode *packet, gpointer data) { xmlnode *command = xmlnode_get_child_with_namespace(packet, "command", "http://jabber.org/protocol/commands"); const char *status = xmlnode_get_attrib(command,"status"); xmlnode *xdata = xmlnode_get_child_with_namespace(command,"x","jabber:x:data"); @@ -181,21 +181,13 @@ } } -void jabber_adhoc_execute(PurpleBlistNode *node, gpointer data) { +void jabber_adhoc_execute_action(PurpleBlistNode *node, gpointer data) { if (PURPLE_BLIST_NODE_IS_BUDDY(node)) { JabberAdHocCommands *cmd = data; PurpleBuddy *buddy = (PurpleBuddy *) node; JabberStream *js = purple_account_get_connection(buddy->account)->proto_data; - JabberIq *iq = jabber_iq_new(js, JABBER_IQ_SET); - xmlnode *command = xmlnode_new_child(iq->node,"command"); - xmlnode_set_attrib(iq->node,"to",cmd->jid); - xmlnode_set_namespace(command,"http://jabber.org/protocol/commands"); - xmlnode_set_attrib(command,"node",cmd->node); - xmlnode_set_attrib(command,"action","execute"); - /* we don't need to set a callback, since jabber_adhoc_parse is run for all replies */ - - jabber_iq_send(iq); + jabber_adhoc_execute(js, cmd); } } @@ -243,22 +235,26 @@ jabber_iq_send(iq); } +void jabber_adhoc_execute(JabberStream *js, JabberAdHocCommands *cmd) { + JabberIq *iq = jabber_iq_new(js, JABBER_IQ_SET); + xmlnode *command = xmlnode_new_child(iq->node,"command"); + xmlnode_set_attrib(iq->node,"to",cmd->jid); + xmlnode_set_namespace(command,"http://jabber.org/protocol/commands"); + xmlnode_set_attrib(command,"node",cmd->node); + xmlnode_set_attrib(command,"action","execute"); + + jabber_iq_set_callback(iq,jabber_adhoc_parse,NULL); + + jabber_iq_send(iq); +} + void jabber_adhoc_server_execute(PurplePluginAction *action) { JabberAdHocCommands *cmd = action->user_data; if(cmd) { PurpleConnection *gc = (PurpleConnection *) action->context; JabberStream *js = gc->proto_data; - JabberIq *iq = jabber_iq_new(js, JABBER_IQ_SET); - xmlnode *command = xmlnode_new_child(iq->node,"command"); - xmlnode_set_attrib(iq->node,"to",cmd->jid); - xmlnode_set_namespace(command,"http://jabber.org/protocol/commands"); - xmlnode_set_attrib(command,"node",cmd->node); - xmlnode_set_attrib(command,"action","execute"); - - /* we don't need to set a callback, since jabber_adhoc_parse is run for all replies */ - - jabber_iq_send(iq); + jabber_adhoc_execute(js, cmd); } } diff -r 9a19c46adf66 -r feac55968392 libpurple/protocols/jabber/adhoccommands.h --- a/libpurple/protocols/jabber/adhoccommands.h Mon Jun 25 19:08:16 2007 +0000 +++ b/libpurple/protocols/jabber/adhoccommands.h Mon Jun 25 20:07:31 2007 +0000 @@ -26,11 +26,11 @@ /* Implementation of XEP-0050 */ -void jabber_adhoc_parse(JabberStream *js, xmlnode *packet); - void jabber_adhoc_disco_result_cb(JabberStream *js, xmlnode *packet, gpointer data); -void jabber_adhoc_execute(PurpleBlistNode *node, gpointer data); +void jabber_adhoc_execute(JabberStream *js, JabberAdHocCommands *cmd); + +void jabber_adhoc_execute_action(PurpleBlistNode *node, gpointer data); void jabber_adhoc_server_get_list(JabberStream *js); diff -r 9a19c46adf66 -r feac55968392 libpurple/protocols/jabber/buddy.c --- a/libpurple/protocols/jabber/buddy.c Mon Jun 25 19:08:16 2007 +0000 +++ b/libpurple/protocols/jabber/buddy.c Mon Jun 25 20:07:31 2007 +0000 @@ -1709,7 +1709,7 @@ continue; for(commands = jbr->commands; commands; commands = g_list_next(commands)) { JabberAdHocCommands *cmd = commands->data; - act = purple_menu_action_new(cmd->name, PURPLE_CALLBACK(jabber_adhoc_execute), cmd, NULL); + act = purple_menu_action_new(cmd->name, PURPLE_CALLBACK(jabber_adhoc_execute_action), cmd, NULL); m = g_list_append(m, act); } } diff -r 9a19c46adf66 -r feac55968392 libpurple/protocols/jabber/iq.c --- a/libpurple/protocols/jabber/iq.c Mon Jun 25 19:08:16 2007 +0000 +++ b/libpurple/protocols/jabber/iq.c Mon Jun 25 20:07:31 2007 +0000 @@ -292,11 +292,6 @@ return; } - if(xmlnode_get_child_with_namespace(packet, "command", "http://jabber.org/protocol/commands")) { - jabber_adhoc_parse(js, packet); - return; - } - purple_debug_info("jabber", "jabber_iq_parse\n"); if(xmlnode_get_child_with_namespace(packet, "ping", "http://www.xmpp.org/extensions/xep-0199.html#ns")) {