From 3e2f9fcbec69350c363f7b47422c5186671f2c2b Mon Sep 17 00:00:00 2001
From: Yann Leboulanger <asterix@lagaule.org>
Date: Tue, 16 Sep 2008 08:30:27 +0000
Subject: [PATCH] prevent affiliatio spoofing by checking namespace. Fixes
 #4323

---
 src/common/xmpp/protocol.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/common/xmpp/protocol.py b/src/common/xmpp/protocol.py
index 7ae19a6670..083d8f485e 100644
--- a/src/common/xmpp/protocol.py
+++ b/src/common/xmpp/protocol.py
@@ -502,10 +502,14 @@ class Presence(Protocol):
 
     def _muc_getItemAttr(self,tag,attr):
         for xtag in self.getTags('x'):
+            if xtag.getNamespace() not in (NS_MUC_USER, NS_MUC_ADMIN):
+                continue
             for child in xtag.getTags(tag):
                 return child.getAttr(attr)
     def _muc_getSubTagDataAttr(self,tag,attr):
         for xtag in self.getTags('x'):
+            if xtag.getNamespace() not in (NS_MUC_USER, NS_MUC_ADMIN):
+                continue
             for child in xtag.getTags('item'):
                 for cchild in child.getTags(tag):
                     return cchild.getData(),cchild.getAttr(attr)
@@ -777,4 +781,4 @@ class DataForm(Node):
         """ Simple dictionary interface for setting datafields values by their names."""
         return self.setField(name).setValue(val)
 
-# vim: se ts=3:
\ No newline at end of file
+# vim: se ts=3:
-- 
GitLab