mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 0.11->trunk

Browse source
This commit is contained in:
Kim Alvefur 2022-01-20 13:02:24 +01:00
commit 991e6531ab
1 changed files with 5 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

18
util/xml.lua
View file

@ -65,27 +65,19 @@ local parse_xml = (function()
function handler:EndElement()
stanza:up();
end
local parser;
-- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs.
function handler:StartDoctypeDecl()
if not parser.stop or not parser:stop() then
error("Failed to abort parsing");
end
end
function handler:ProcessingInstruction()
local function restricted_handler(parser)
if not parser.stop or not parser:stop() then
error("Failed to abort parsing");
end
end
handler.StartDoctypeDecl = restricted_handler;
handler.ProcessingInstruction = restricted_handler;
if not options or not options.allow_comments then
-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
function handler:Comment()
if not parser.stop or not parser:stop() then
error("Failed to abort parsing");
end
end
handler.Comment = restricted_handler;
end
parser = lxp.new(handler, ns_separator);
local parser = lxp.new(handler, ns_separator);
local ok, err, line, col = parser:parse(xml);
if ok then ok, err, line, col = parser:parse(); end
--parser:close();