The 'global' property should reflect whether the module API instance
represents the global context or a VirtualHost or Component context.
However the module:context() method did not override this, leading the
property of the previous module shining trough, leading to bugs in code
relying on the 'global' property.
See also #1736
The second return value is (not insensibly) assumed to be an error. Instead of
returning a value there in the success case, copy the positional arguments
into the existing opts table.
This is the same as the input table (which is mutated during processing), but
if that table was created on the fly, such as by packing `...` it's convenient
if it also gets returned from the parse function.
This change ensures we have positively verified the certificates of the server
we are connecting to before marking the session as authenticated. It protects
against situations where the verify-or-close stage of the connection was
interrupted (e.g. due to an uncaught error).
Thanks to Zash for discovery and testing.
Turns out this table was wrong, it's missing some fields which are
required and it's 'name', not 'node'. Setting it to the boolean true
invokes compatibility behavior in mod_pep which results in the correct
default structure.
This flag is something of a shortcut for `module.host == "*"` and should
always be equal to that. Its absence on the proxy object made the
property of the global module instance visible, causing problems such as
with URL reporting in mod_http
util.crand can be configured at compile time to use the Linux
getrandom() system call, available from Linux 3.17, but it is still
possible to load it with an older kernel lacking that system call, where
attempting to use it throws an ENOSYS error.
By testing for this on load we can fall back to /dev/urandom in this
case.
The same-origin policy enforced by browsers is a security measure that should
only be turned off when it is safe to do so. It is safe to do so in Prosody's
default modules, but people may load third-party modules that are unsafe.
Therefore we have flipped the default, so that modules must explicitly opt in
to having CORS headers added on their requests.
This is allowed by XEP-0045, which states:
"A moderator SHOULD NOT be allowed to revoke moderation privileges from
someone with a higher affiliation than themselves (i.e., an unaffiliated
moderator SHOULD NOT be allowed to revoke moderation privileges from an admin
or an owner, and an admin SHOULD NOT be allowed to revoke moderation
privileges from an owner)."
The "socket.unix" module exported only a function before
aa1b8cc9bc
when datagram support was added.
Fixes#1717
Thanks rsc and lucas for reporting and testing
Some NATs don't preserve port numbers, which can cause the TURN server's
reported relay address to be incorrect (the TURN server has no way to predict
what the external port is, so it can't be corrected in config like an IP
mismatch can).
Fallback code for not having either the string.pack and string.unpack
functions available in Lua 5.4 or the struct lib is no longer needed
since the struct lib was imported as util.struct in 3ce3633527af
