# HG changeset patch # User Matthew Wild # Date 1777459243 -3600 # Node ID 4bbb17445ed970f697dbb9afb5dd4e52824e9f1e # Parent f34ad235cf3b2f2e0d6bdf6af1ac3c876555b7bb mod_proxy65: Consistently apply authorization checks The module checked for authorization when a client asked for the address:port of the proxy service. It did not check for authorization when processing a request to activate a bytestream. This meant that any unauthenticated party able to guess the IP/port and XMPP domain of a proxy65 service (generally low difficulty) would be able to use the proxy to relay traffic between two connections. This factors out the permission check, and applies it to every request type. diff -r f34ad235cf3b -r 4bbb17445ed9 plugins/mod_proxy65.lua --- a/plugins/mod_proxy65.lua Wed Apr 29 11:37:21 2026 +0100 +++ b/plugins/mod_proxy65.lua Wed Apr 29 11:40:43 2026 +0100 @@ -103,25 +103,24 @@ module:add_identity("proxy", "bytestreams", name); module:add_feature("http://jabber.org/protocol/bytestreams"); - module:hook("iq-get/host/http://jabber.org/protocol/bytestreams:query", function(event) - local origin, stanza = event.origin, event.stanza; - - -- check ACL - -- using 'while' instead of 'if' so we can break out of it - local allow; + local function is_permitted(origin, stanza) if proxy_acl and #proxy_acl > 0 then local jid = stanza.attr.from; for _, acl in ipairs(proxy_acl) do if jid_compare(jid, acl) then - allow = true; - break; + return true; end end elseif proxy_open_access or origin.type == "c2s" then - allow = true; + return true; end + return false; + end - if not allow then + module:hook("iq-get/host/http://jabber.org/protocol/bytestreams:query", function(event) + local origin, stanza = event.origin, event.stanza; + + if not is_permitted(origin, stanza) then module:log("warn", "Denying use of proxy for %s", stanza.attr.from); origin.send(st.error_reply(stanza, "auth", "forbidden")); return true; @@ -143,6 +142,12 @@ module:hook("iq-set/host/http://jabber.org/protocol/bytestreams:query", function(event) local origin, stanza = event.origin, event.stanza; + if not is_permitted(origin, stanza) then + module:log("warn", "Denying use of proxy for %s", stanza.attr.from); + origin.send(st.error_reply(stanza, "auth", "forbidden")); + return true; + end + local query = stanza.tags[1]; local sid = query.attr.sid; local from = stanza.attr.from;