mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 05:07:42 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

util.xml: Deduplicate handlers for restricted XML

Browse source 
Makes the code more like util.xmppstream, allowing easier comparisons if
we ever need to apply fixes in the future.
This commit is contained in:
Kim Alvefur 2022-01-20 10:51:46 +01:00
parent d17619344d
commit 785d327308
1 changed files with 5 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

17
util/xml.lua
View file

@ -66,23 +66,16 @@ local parse_xml = (function()
stanza:up();
end
-- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs.
function handler:StartDoctypeDecl()
if not self.stop or not self:stop() then
error("Failed to abort parsing");
end
end
function handler:ProcessingInstruction()
if not self.stop or not self:stop() then
local function restricted_handler(parser)
if not parser.stop or not parser:stop() then
error("Failed to abort parsing");
end
end
handler.StartDoctypeDecl = restricted_handler;
handler.ProcessingInstruction = restricted_handler;
if not options or not options.allow_comments then
-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
function handler:Comment()
if not self.stop or not self:stop() then
error("Failed to abort parsing");
end
end
handler.Comment = restricted_handler;
end
local parser = lxp.new(handler, ns_separator);
local ok, err, line, col = parser:parse(xml);