Fix CVE-2016-10376.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10376
http://seclists.org/oss-sec/2017/q2/341
https://dev.gajim.org/gajim/gajim/issues/8378

Patch copied from upstream source repository:

https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc

(adapted for context in config.py)

From cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc Mon Sep 17 00:00:00 2001
From: Philipp Hörist <forenjunkie@chello.at>
Date: Fri, 26 May 2017 23:10:05 +0200
Subject: [PATCH] Add config option to activate XEP-0146 commands

Some of the Commands have security implications, thats why we disable them per default
Fixes #8378
---
 src/common/commands.py | 7 ++++---
 src/common/config.py   | 1 +
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/common/commands.py b/src/common/commands.py
index 19d8c13..0eeb57c 100644
--- a/src/common/commands.py
+++ b/src/common/commands.py
@@ -345,9 +345,10 @@ class ConnectionCommands:
     def __init__(self):
         # a list of all commands exposed: node -> command class
         self.__commands = {}
-        for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand,
-        LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand):
-            self.__commands[cmdobj.commandnode] = cmdobj
+        if gajim.config.get('remote_commands'):
+            for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand,
+            LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand):
+                self.__commands[cmdobj.commandnode] = cmdobj
 
         # a list of sessions; keys are tuples (jid, sessionid, node)
         self.__sessions = {}
diff --git a/src/common/config.py b/src/common/config.py
index cde1f81..fe25455 100644
--- a/src/common/config.py
+++ b/src/common/config.py
@@ -314,6 +314,7 @@ class Config:
             'ignore_incoming_attention': [opt_bool, False, _('If True, Gajim will ignore incoming attention requestd ("wizz").')],
             'remember_opened_chat_controls': [ opt_bool, True, _('If enabled, Gajim will reopen chat windows that were opened last time Gajim was closed.')],
             'positive_184_ack': [ opt_bool, False, _('If enabled, Gajim will show an icon to show that sent message has been received by your contact')],
+            'remote_commands': [opt_bool, False, _('If True, Gajim will execute XEP-0146 Commands.')],
     }, {})
 
     __options_per_key = {
--
libgit2 0.24.0