From 5212b0aaa6a9e35ec7f3fd075d19b44a362b1d03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= <pchmielowski@process-one.net>
Date: Thu, 21 Jan 2021 14:20:30 +0100
Subject: [PATCH] Validate affiliations in set_room_affiliation command

---
 src/mod_muc_admin.erl | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/mod_muc_admin.erl b/src/mod_muc_admin.erl
index d80e71589..e35b19419 100644
--- a/src/mod_muc_admin.erl
+++ b/src/mod_muc_admin.erl
@@ -1237,7 +1237,15 @@ get_room_affiliation(Name, Service, JID) ->
 %% If the affiliation is 'none', the action is to remove,
 %% In any other case the action will be to create the affiliation.
 set_room_affiliation(Name, Service, JID, AffiliationString) ->
-    Affiliation = misc:binary_to_atom(AffiliationString),
+    Affiliation = case AffiliationString of
+                      <<"outcast">> -> outcast;
+                      <<"none">> -> none;
+                      <<"member">> -> member;
+                      <<"admin">> -> admin;
+                      <<"owner">> -> owner;
+                      _ ->
+                          throw({error, "Invalid affiliation"})
+                  end,
     case get_room_pid(Name, Service) of
 	Pid when is_pid(Pid) ->
 	    %% Get the PID for the online room so we can get the state of the room