Added validation for IQ packets with no 'id' attribute. JM-1465

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10903 b35dd754-fafc-0310-a699-88a17e54d16e

src/java/org/jivesoftware/openfire/IQRouter.java

@@ -279,7 +279,7 @@ public class IQRouter extends BasicModule {
                 return;
             }
         }
-        if (IQ.Type.result == packet.getType() || IQ.Type.error == packet.getType()) {
+        if (packet.getID() != null && (IQ.Type.result == packet.getType() || IQ.Type.error == packet.getType())) {
             // The server got an answer to an IQ packet that was sent from the server
             IQResultListener iqResultListener = resultListeners.remove(packet.getID());
             if (iqResultListener != null) {

src/java/org/jivesoftware/openfire/net/StanzaHandler.java

@@ -20,6 +20,7 @@ import org.jivesoftware.openfire.XMPPServer;
 import org.jivesoftware.openfire.auth.UnauthorizedException;
 import org.jivesoftware.openfire.session.LocalSession;
 import org.jivesoftware.openfire.session.Session;
+import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.LocaleUtils;
 import org.jivesoftware.util.Log;
 import org.jivesoftware.util.StringUtils;
@@ -273,6 +274,13 @@ public abstract class StanzaHandler {
                 session.process(reply);
                 return;
             }
+            if (packet.getID() == null && JiveGlobals.getBooleanProperty("xmpp.server.validation.enabled", false)) {
+                // IQ packets MUST have an 'id' attribute so close the connection
+                StreamError error = new StreamError(StreamError.Condition.invalid_xml);
+                session.deliverRawText(error.toXML());
+                session.close();
+                return;
+            }
             processIQ(packet);
         }
         else {