Before forwarding last activity requests to a user, check that the user's presence is visible for From

According to XEP-0012, 4. Online User Query, "if the requesting entity is not authorized to view the user's presence information (normally via a presence subscription as defined in XMPP IM), the user's server MUST NOT deliver the IQ-get to an available resource but instead MUST return a <forbidden/> error in response to the last activity request." So check for a subscription of from of the jid and bare jid and whether outgoing presences to From are allowed. Fixes problem 3 of EJAB-1158.
2024-11-22 16:20:52 +01:00 · 2010-11-05 15:44:22 +01:00 · 2010-11-05 15:44:22 +01:00 · 7d93cad452
commit 7d93cad452
parent 860d8525ee
1 changed files with 19 additions and 0 deletions
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@ -1291,6 +1291,25 @@ handle_info({route, From, To, Packet}, StateName, StateData) ->
 		case exmpp_iq:is_request(Packet) of
 		    true ->
 			case exmpp_iq:get_request(Packet) of
+			    #xmlel{ns = ?NS_LAST_ACTIVITY} ->
+				LFrom = jlib:short_prepd_jid(From),
+				LBFrom = jlib:short_prepd_bare_jid(From),
+				DummyPresence = exmpp_presence:presence(available, ""),
+			       HasFromSub = (?SETS:is_element(LFrom, StateData#state.pres_f) orelse ?SETS:is_element(LBFrom, StateData#state.pres_f))
+				   andalso is_privacy_allow(StateData, To, From, DummyPresence, out),
+			       case HasFromSub of
+				   true ->
+				       case privacy_check_packet(StateData, From, To, Packet, in) of
+					   allow ->
+					       {true, Attrs, StateData};
+					   deny ->
+					       {false, Attrs, StateData}
+				       end;
+				   _ ->
+					Err = exmpp_server_session:error(Packet, 'forbidden'),
+					send_element(StateData, Err),
+				       {false, Attrs, StateData}
+			       end;
 			    _ ->
 				case privacy_check_packet(StateData, From, To, Packet, in) of
 				    allow ->