LuaExpat uses a registry reference to track handlers, which makes
it so that an upvalue like this creates a reference loop that keeps the
parser and its handlers from being garbage collected. The same issue has
affected util.xmppstream in the past.
Code for checking:
local xml_parse = require"util.xml".parse;
for i = 1, 10000 do xml_parse("<root/>") end
collectgarbage(); collectgarbage();
print(collectgarbage("count"), "KiB");
A future release of LuaExpat may fix the underlying issue there.
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
Data is already wiped from storage, but this ensures everything is
properly unsubscribed, possibly with notifications etc.
Clears recipient cache as well, since it is no longer relevant.
Should call timers less frequently when many sockets are waiting for
processing. May help under heavy load.
Requested by Ge0rG
Backport of 2bcd84123eba requested by Roi
Likely affected rescheduling but have no reports of this.
After readding a timer, it would have been issued a new id. Rescheduling
would use the previous id, thus not working.
POSIX is quite explicit regarding the precedence of AND-OR lists [0]:
> The operators "&&" and "||" shall have equal precedence and shall be
> evaluated with left associativity. For example, both of the following
> commands write solely `bar` to standard output:
> false && echo foo || echo bar
> true || echo foo && echo bar
Given that, `prosody.version` target behaves as
((((((test -f prosody.release && cp ...) ||
test -f ...) &&
sed ...) ||
test -f ...) &&
hexdump ...) ||
echo unknown > $@)
In the case of release tarballs, `prosody.release` does exist, so the
first AND pair is executed. Given that it's successful, then the first
`test -f` in the OR pair is ignored, and instead the `sed` in the AND
pair is executed. `sed` success, as `.hg_archival.txt` exists, making
the second `test -f` in the OR pair ignored, and `hexdump` in the AND
pair is executed. Now, given that `.hg` doesn't exist, it fails, so the
last `echo` is run, overwriting `prosody.version` with `unknown`.
This can be worked around placing `()` around the AND pairs. Decided to use
conditionals instead, as I think they better communicate the intention
of the block.
[0]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_09_03
This may have mistakenly caused link-local addresses to be considered
global. May have caused mod_s2s and prosodyctl check dns to behave
incorrectly on networks using link-local IPv4 addresses. By my
guesstimate, these are extremely rare. Probably minimal impact beyond
a bit longer to establish s2s and some possible confusion from
prosodyctl check dns results.
Ref RFC 3927
Originally added in 202b9951b037 but util.pubsub gained a better method
in 6c2c2fc4b8dd since then, which mod_pep uses since 9194431b6447 which
should have deleted this.
All these :create calls would have failed with a 'conflict' error, since
the nodes had already been created. This was never noticed because of
missing error handling.
Also note that this code did not restore node configuration.
This may be useful for any plugins that want to experiment with different policies
for stanza size limits (e.g. unauthenticated vs authenticated streams).
The de-facto interpretation of this (undocumented) option is to indicate to
the client whether it is allowed to invite other users to the MUC.
This is differs from the existing option in our config form, which only
controls the behaviour of sending of invites in a members-only MUC (we always
allow invites in open rooms).
Conversations is one client known to use this disco#info item to determine
whether it may send invites.
c2s/bosh/ws streams will default to 256KB, s2s and components to 512KB.
These values are aligned with ejabberd's default settings, which should reduce
issues related to inconsistent size limits between servers on the XMPP network.
The previous default (10MB) is excessive for any production server, and allows
significant memory usage by even unauthenticated sessions.
Testing has demonstrated that the default GC parameters are not
sufficient to prevent runaway memory growth when running under Lua 5.2
and Lua 5.3.
Setting the GC speed to 500 was tested on Lua versions 5.1->5.4 and did
not display unbounded memory growth.
