fix: OF-2655 - explicitly check the streamId is a new ID before creat…

…ing a new session
surevine · Sep 4, 2023 · 5cff047 · 5cff047
1 parent 297d231
commit 5cff047
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java b/xmppserver/src/main/java/org/jivesoftware/openfire/net/RespondingServerStanzaHandler.java
@@ -129,14 +129,16 @@ protected void initiateSession(String stanza, XMPPPacketReader reader) throws Ex
                     .collect(Collectors.toSet());
                 connection.setAdditionalNamespaces(additionalNamespaces);
 
+                String streamHeaderId = rootElement.attribute("id").getValue();
+
                 // Create a new session with a new ID if a new stream has started on an existing connection
                 // following TLS negotiation in accordance with RFC 6120 § 5.4.3.3. See https://datatracker.ietf.org/doc/html/rfc6120#section-5.4.3.3
-                String newStreamId = rootElement.attribute("id").getValue();
-                if (sessionCreated && newStreamId != null) {
-                    ServerSession.AuthenticationMethod existingAuthMethod = session instanceof LocalOutgoingServerSession
-                        ? ((LocalOutgoingServerSession) session).getAuthenticationMethod()
+                if (sessionCreated && isNewStreamId(streamHeaderId)) {
+                    LocalOutgoingServerSession localOutgoingServerSession = session instanceof LocalOutgoingServerSession ? (LocalOutgoingServerSession) session : null;
+                    ServerSession.AuthenticationMethod existingAuthMethod = localOutgoingServerSession != null
+                        ? localOutgoingServerSession.getAuthenticationMethod()
                         : null;
-                    transferConnectionToNewSession(newStreamId, existingAuthMethod);
+                    transferConnectionToNewSession(streamHeaderId, existingAuthMethod);
                 }
             } catch (DocumentException e) {
                 LOG.error("Failed extract additional namespaces", e);
@@ -156,6 +158,10 @@ protected void initiateSession(String stanza, XMPPPacketReader reader) throws Ex
         }
     }
 
+    private boolean isNewStreamId(String streamHeaderId) {
+        return streamHeaderId.equals(session.getStreamID().getID());
+    }
+
     private static boolean isRelevantNamespace(Namespace ns) {
         return !XMPPPacketReader.IGNORED_NAMESPACE_ON_STANZA.contains(ns.getURI());
     }