# HG changeset patch # User Matthew Wild # Date 1777459243 -3600 # Node ID 2a66728d9e298653f9ab30e5874b7ba15a53ace7 # Parent 9c98cc9d95885b142aa5e07390a34e8aa57ee352 mod_proxy65: Consistently apply authorization checks The module checked for authorization when a client asked for the address:port of the proxy service. It did not check for authorization when processing a request to activate a bytestream. This meant that any unauthenticated party able to guess the IP/port and XMPP domain of a proxy65 service (generally low difficulty) would be able to use the proxy to relay traffic between two connections. This factors out the permission check, and applies it to every request type. diff -r 9c98cc9d9588 -r 2a66728d9e29 plugins/mod_proxy65.lua --- a/plugins/mod_proxy65.lua Wed Apr 29 11:37:21 2026 +0100 +++ b/plugins/mod_proxy65.lua Wed Apr 29 11:40:43 2026 +0100 @@ -103,25 +103,24 @@ module:add_identity("proxy", "bytestreams", name); module:add_feature("http://jabber.org/protocol/bytestreams"); - module:hook("iq-get/host/http://jabber.org/protocol/bytestreams:query", function(event) - local origin, stanza = event.origin, event.stanza; - - -- check ACL - -- using 'while' instead of 'if' so we can break out of it - local allow; + local function is_permitted(origin, stanza) if proxy_acl and #proxy_acl > 0 then local jid = stanza.attr.from; for _, acl in ipairs(proxy_acl) do if jid_compare(jid, acl) then - allow = true; - break; + return true; end end elseif proxy_open_access or origin.type == "c2s" then - allow = true; + return true; end + return false; + end - if not allow then + module:hook("iq-get/host/http://jabber.org/protocol/bytestreams:query", function(event) + local origin, stanza = event.origin, event.stanza; + + if not is_permitted(origin, stanza) then module:log("warn", "Denying use of proxy for %s", stanza.attr.from); origin.send(st.error_reply(stanza, "auth", "forbidden")); return true; @@ -143,6 +142,12 @@ module:hook("iq-set/host/http://jabber.org/protocol/bytestreams:query", function(event) local origin, stanza = event.origin, event.stanza; + if not is_permitted(origin, stanza) then + module:log("warn", "Denying use of proxy for %s", stanza.attr.from); + origin.send(st.error_reply(stanza, "auth", "forbidden")); + return true; + end + local query = stanza.tags[1]; local sid = query.attr.sid; local from = stanza.attr.from;