Allowed by XML despite arguably being a control character.
Drops the part of the range meant to rule out octets invalid in UTF-8
(\247 starts a 4-byte sequence), since UTF-8 correctness is validated by
util.encodings.utf8.valid().
LuaExpat uses a registry reference to track handlers, which makes
it so that an upvalue like this creates a reference loop that keeps the
parser and its handlers from being garbage collected. The same issue has
affected util.xmppstream in the past.
Code for checking:
local xml_parse = require"util.xml".parse;
for i = 1, 10000 do xml_parse("<root/>") end
collectgarbage(); collectgarbage();
print(collectgarbage("count"), "KiB");
A future release of LuaExpat may fix the underlying issue there.
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
This may have mistakenly caused link-local addresses to be considered
global. May have caused mod_s2s and prosodyctl check dns to behave
incorrectly on networks using link-local IPv4 addresses. By my
guesstimate, these are extremely rare. Probably minimal impact beyond
a bit longer to establish s2s and some possible confusion from
prosodyctl check dns results.
Ref RFC 3927
This may be useful for any plugins that want to experiment with different policies
for stanza size limits (e.g. unauthenticated vs authenticated streams).
Testing has demonstrated that the default GC parameters are not
sufficient to prevent runaway memory growth when running under Lua 5.2
and Lua 5.3.
Setting the GC speed to 500 was tested on Lua versions 5.1->5.4 and did
not display unbounded memory growth.
Similar to util.ringbuffer (and shares almost identical API). Differences:
- size limit is optional and dynamic
- does not allocate a fixed buffer of max_size bytes
- focus on simply storing references to existing string objects where possible,
avoiding unnecessary allocations
- references are still stored in a ring buffer to enable use as a fast FIFO
Optional second parameter to new() provides the number of ring buffer segments. On
Lua 5.2 on my laptop, a segment is ~19 bytes. If the ring buffer fills up, the next
write will compact all strings into a single item.
The 'store' path componend used to be unescaped until 756a2a00e7e7 added
escaping to address issues with characters like '/' used in PEP, but
with a special case for '_' which was already in common use in 'store'
path components.
Missed adding this escaping here.
Normally these paths are injected into the installed 'prosody'
executable as absolute paths, but it is possible to override at least
the config path via environment variable or command line argument. This
makes sure a path relative to pwd stays relative to that instead of the
data directory.
Most serialization uses still use the default serialize() and thus
duplicate much of the setup, which negates some of the performance
improvements of the rewrite.
