Prevent forging of messages via carbons.

docs/CHANGES.md

 # Changelog
 
+## 1.0.7 (Unreleased)
+- Security fix: Prevent message forging via carbons. (Thanks to ge0rg) [jcbrand]
+
 ## 1.0.6 (2016-08-12)
 - #632 Offline and Logout states do not properly update once users start
   chatting. [chrisuehlinger, jcband]

package.json

@@ -46,7 +46,7 @@
   },
   "dependencies": {
     "requirejs": "~2.2.0",
-    "pluggable.js": "https://github.com/jcbrand/pluggable.js.git#master",
+    "pluggable.js": "0.0.1",
     "jquery": "1.12.3",
     "jed": "0.5.4",
     "underscore": "~1.8.3",

spec/chatbox.js

@@ -694,7 +694,7 @@
                     var msgtext = 'This is a carbon message';
                     var sender_jid = mock.cur_names[1].replace(/ /g,'.').toLowerCase() + '@localhost';
                     var msg = $msg({
-                            'from': converse.bare_jid,
+                            'from': sender_jid,
                             'id': (new Date()).getTime(),
                             'to': converse.connection.jid,
                             'type': 'chat',

src/converse-core.js

@@ -1350,7 +1350,14 @@
                 }
                 $forwarded = $message.find('forwarded');
                 if ($forwarded.length) {
-                    $message = $forwarded.children('message');
+                    var $forwarded_message = $forwarded.children('message');
+                    if (Strophe.getBareJidFromJid($forwarded_message.attr('from')) !== from_jid) {
+                        // Prevent message forging via carbons
+                        //
+                        // https://xmpp.org/extensions/xep-0280.html#security
+                        return true;
+                    }
+                    $message = $forwarded_message;
                     $delay = $forwarded.children('delay');
                     from_jid = $message.attr('from');
                     to_jid = $message.attr('to');