util.xmppstream: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning.

2025-04-04 21:57:45 +03:00 · 2011-06-01 23:02:10 +01:00 · 2011-06-01 23:02:10 +01:00 · a587c56a9f
commit a587c56a9f
parent 544b19989d
1 changed files with 21 additions and 0 deletions
--- a/util/xmppstream.lua
+++ b/util/xmppstream.lua
@ -19,6 +19,16 @@ local setmetatable = setmetatable;

 local default_log = require "util.logger".init("xmppstream");

+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+
+if not lxp_supports_doctype then
+	default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+		.."vulnerable to denial-of-service attacks. You should upgrade to "
+		.."LuaExpat 1.1.1 or higher as soon as possible. See "
+		.."http://prosody.im/doc/depends#luaexpat for more information.");
+end
+
 local error = error;

 module "xmppstream"
@ -158,6 +168,17 @@ function new_sax_handlers(session, stream_callbacks)
 		end
 	end
 	
+	local function restricted_handler()
+		cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+	end
+	
+	if lxp_supports_doctype then
+		xml_handlers.StartDoctypeDecl = restricted_handler;
+	end
+	xml_handlers.Comment = restricted_handler;
+	xml_handlers.StartCdataSection = restricted_handler;
+	xml_handlers.ProcessingInstruction = restricted_handler;
+	
 	local function reset()
 		stanza, chardata = nil, {};
 		stack = {};