diff options
| author |   Kim Alvefur <zash@zash.se> | 2019-07-20 04:19:58 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2019-07-20 04:19:58 +0200 |
| commit | 3204f55be1cbe4c9871584d0ee957f72afed8055 (patch) | |
| tree | d3e14031365c5059107e696d558e1750ca1e1cb5 | |
| parent | util.serialization: Cache default serialization instance (fixes #1389) (diff) | |
| download | prosody-3204f55be1cbe4c9871584d0ee957f72afed8055.tar.xz prosody-3204f55be1cbe4c9871584d0ee957f72afed8055.zip | |
mod_websocket: Clone stanza before mutating (fixes #1398)
Checking for `stanza.attr.xmlns == nil` to determine if the stanza
object is an actual stanza (`<message>`, `<presence>` or `<iq>` in the
`jabber:client` or `jabbber:server` namespace) or some other stream
element.
Since this mutation is not reverted, it may leak to other places and
cause them to mistreat stanzas as stream elements. Especially in cases
like MUC where a single stanza is broadcast to many recipients.
| -rw-r--r-- | plugins/mod_websocket.lua | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua index b4aba338d..686a89815 100644 --- a/plugins/mod_websocket.lua +++ b/plugins/mod_websocket.lua @@ -285,6 +285,7 @@ function handle_request(event) end); add_filter(session, "stanzas/out", function(stanza) + stanza = st.clone(stanza); local attr = stanza.attr; attr.xmlns = attr.xmlns or xmlns_client; if stanza.name:find("^stream:") then |