Commit graph

179 commits

Author SHA1 Message Date
Jonas Schäfer
23a43df6fb util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.

In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.

This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.

This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
2022-01-10 18:23:54 +01:00
Kim Alvefur
00735e4759 MUC: Fix logic for access to affiliation lists
Fixes https://prosody.im/security/advisory_20210722/

Backs out 4d7b925652d9
2021-07-22 17:18:39 +02:00
Kim Alvefur
8328e6681e util.stanza: Reject ASCII control characters (fixes #1606) 2020-11-11 16:00:41 +01:00
Matthew Wild
a095a0c533 util.debug: Fix locals being reported under wrong stack frame in some cases (+tests!!) 2020-10-16 13:38:04 +01:00
Kim Alvefur
d5161fbf6f util.strbitop: Add tests covering basics
Also as docs
2020-10-15 16:41:51 +02:00
Matthew Wild
64856637ce net.websocket.frames: Add test for empty frame with MASK and key set 2020-10-15 14:01:22 +01:00
Kim Alvefur
00bad1a9fe net.websocket.frames: Use C string XOR implementation 2020-10-14 19:41:42 +02:00
Kim Alvefur
d69cf3b007 net.websocket.frames: Add small test covering xor-masking
This is basically a recording of current behavior, to detect changes.
2020-10-14 19:02:48 +02:00
Kim Alvefur
d3b3e21720 util.dbuffer: Expose length as :len() method, like strings
Ref #1598
2020-10-12 20:20:02 +02:00
Matthew Wild
f5f2a709cd Merge 2020-09-30 09:46:30 +01:00
Waqas Hussain
80beeeb187 util.indexedbheap: Fix heap datastructure corruption in :reschedule(smaller_value) 2020-09-29 21:27:16 -05:00
Kim Alvefur
095c4f8344 util.dbuffer: Simplify test case
An earlier theory involved the bug being related to collapsing multiple
items, so it exercised that too.

Also correct the comment, it referred to the space in "hello world" in
an earlier version before the test string was changed to "foobar", which
was what was tested in a REPL
2020-08-24 17:28:48 +02:00
Matthew Wild
145f8fbad7 MUC tests: Add missing affiliation attribute 2020-04-23 13:44:47 +01:00
Matthew Wild
fef49a627e Backed out changeset 18f2c7bc5795 (was testing against wrong branch) 2020-04-23 13:43:29 +01:00
Matthew Wild
7d8f93d688 MUC tests: Add <required/> to expected form field 2020-04-23 13:29:23 +01:00
Kim Alvefur
0b32ffe859 scansion/blocking: Remove the right irrelevant thing 2019-06-20 22:25:46 +02:00
Kim Alvefur
438982da4c mod_blocklist: Remove unrelated tags from test case 2019-06-20 22:10:19 +02:00
Kim Alvefur
2ab9c22c26 mod_blocklist: Update test case with correct behavior (see #1380)
Expect failure
2019-06-20 21:18:46 +02:00
Kim Alvefur
1e2c3cdc46 mod_blocklist: Add test case capturing current behavior 2019-06-20 21:08:12 +02:00
Kim Alvefur
5d4504e51b util.pubsub: Validate node configuration on node creation (fixes #1328) 2019-03-03 19:31:56 +01:00
Kim Alvefur
3b8e8f6a45 spec: Add test case for #1322 2019-02-27 10:27:17 +01:00
Kim Alvefur
da56744645 util.pubsub: Add support for requesting multiple specific items (needed for #1305) 2019-01-28 01:41:01 +01:00
Kim Alvefur
9f19a48ee2 util.pubsub: Restore subscription index from stored data (fixes #1281) 2018-12-29 21:47:51 +01:00
Kim Alvefur
67a3bf56f3 mod_mam: Add test for JID normalization in prefs (see #1275) 2018-12-23 15:22:49 +01:00
Kim Alvefur
85a028c727 MUC: Allow changing data attached to an only owner (fixes #1273)
This previously prevented a single owner from setting their own nickname
via admin query.

The form method uses `true` as actor so it bypasses this check.
2018-12-20 14:45:22 +01:00
Matthew Wild
ee729847c3 spec/scansion: Fix test names of tests added in 0d97768b0ea9 2018-12-19 16:54:07 +00:00
Matthew Wild
6b8d5f97ed spec/scansion: Add tests for members-only rooms 2018-12-19 13:25:15 +00:00
Kim Alvefur
1bf2e5f5f4 util.stanza: Improve tests 2018-12-02 02:16:21 +01:00
Kim Alvefur
7f75a66d21 net.websocket.frames: Add some brief tests
These are mostly just recordings of minimal input roundtripped back into tables.
2018-11-29 17:20:49 +01:00
Kim Alvefur
50f6335501 util.stanza: Validate input to clone() (with brief tests) 2018-11-17 15:26:11 +01:00
Kim Alvefur
4c07742fbb spec/scansion/prosody.cfg.lua: Add comment about mod_scansion_record
This was accidentally included in a previous commit, but having it here
makes it easier to enable when making new test cases.
2018-11-12 22:49:54 +01:00
Kim Alvefur
cdf083b8d4 MUC: Add scanison test case for #1230 2018-11-12 18:25:40 +01:00
Matthew Wild
bab787b0ec issue1224.scs: Fix to expect new affiliation change notifications 2018-10-31 14:18:36 +00:00
Matthew Wild
45ae85d523 issue1224.scs: Update title 2018-10-31 13:30:38 +00:00
Matthew Wild
02c97f3066 muc_affiliation_notify.scs: Remove trailing whitespace 2018-10-31 13:18:01 +00:00
Matthew Wild
e791ba30b5 muc_register.scs: Fix to expect new affiliation change notifications 2018-10-31 14:19:01 +00:00
Matthew Wild
54ecdb5cd0 MUC: Announce affiliation changes for JIDs that are not in the room 2018-10-31 13:13:05 +00:00
Kim Alvefur
e6400cd0d8 pubsub: Set pubsub#title as name attribute in disco#items (fixes #1226) 2018-10-30 18:20:54 +01:00
Matthew Wild
0ec2f1debd spec/scansion: Add pep_publish_subscribe (fixes #1222) 2018-10-30 12:24:48 +00:00
Kim Alvefur
fdbc23fab6 util.serialization: Add option for allowing multiple references to the same table (but not cycles) 2018-10-27 12:43:03 +02:00
Kim Alvefur
2801e1f100 util.serialization: Test rejection of multiple references to same table 2018-10-27 12:40:47 +02:00
Matthew Wild
37bedc7314 util.promise: Add tests ensuring returning a promise resolves the current promise with that promise 2018-10-26 09:23:00 +01:00
Matthew Wild
201dbb74cc util.promise tests: Fix declared but unused variables 2018-10-25 15:33:46 +01:00
Matthew Wild
e6ff6e333c util.promise: Fix missing parameters 2018-10-25 15:24:52 +01:00
Matthew Wild
b74a643e34 util.promise: Ensure chained promises always receive a value/rejection even if an intermediate promise has no handlers 2018-10-25 14:38:00 +01:00
Kim Alvefur
687384a94a storagemanager: Fix tests on Lua 5.3
_G.unpack moved to table.unpack
2018-10-21 21:03:54 +02:00
Matthew Wild
9825eee8c1 MUC: Use the bare JID when performing a lookup for COMPAT with clients that don't set it (fixes #1224)
The full JID is never meant to be the target of affiliation changes.
2018-10-21 16:04:54 +01:00
Kim Alvefur
023e5839c2 tests: Add some comments to xep54 test 2018-10-20 17:31:17 +02:00
Kim Alvefur
006a19da77 tests: Remove initial read since XEP is unclear (see #1104)
If the store is empty then either this empty vCard element or an
item-not-found error is acceptable.
2018-10-20 17:29:31 +02:00
Kim Alvefur
bf624bbe1c tests: Set a proper title for vCard test 2018-10-20 17:28:52 +02:00