mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 21:57:45 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
12181 commits 12 branches 101 tags 40 MiB
Commit graph

12 commits

Author SHA1 Message Date
Jonas Schäfer
e0b15fcba3 util.xml: Do not allow doctypes, comments or processing instructions 
Yes. This is as bad as it sounds. CVE pending.

In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.

This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.

This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
 2022-01-10 18:23:54 +01:00
Matthew Wild
5a1aa107c3 util.xml: Use variable instead of constant for consistency (thanks Thijs) 2021-12-26 20:37:20 +00:00
Kim Alvefur
f875b6f99c util.xml: Fix float formatting of line and columns in error (on Lua 5.3+) 2020-10-03 16:22:56 +02:00
Kim Alvefur
43b814a83b vairious: Add annotation when an empty environment is set [luacheck] 2018-02-28 20:06:26 +01:00
Waqas Hussain
edcf8f0c7d util.xml: Correct stanza.namespaces table construction when duplicate prefix names are encountered in the element tree. 2016-03-05 17:51:35 -05:00
Matthew Wild
dd37beeff9 util.stanza, util.xml, util.xmppstream: Add support for tracking defined namespaces and their prefix (stanza.namespaces), knowing/preserving prefix names is required for some applications (thanks daurnimator) 2015-12-08 23:15:42 +00:00
Kim Alvefur
eaa823a597 util.*: Remove use of module() function, make all module functions local and return them in a table at the end 2015-02-21 10:36:37 +01:00
Matthew Wild
ed2dc14ab3 util.xml: Remove unused parameter (thanks, luacheck) 2015-05-06 19:39:28 +01:00
Matthew Wild
7b3df2bae6 portmanager, s2smanager, sessionmanager, stanza_router, storagemanager, usermanager, util.xml: Add luacheck annotations 2015-05-06 19:20:07 +01:00
Florian Zeitz
1d833bb807 Remove all trailing whitespace 2013-08-09 17:48:21 +02:00
Waqas Hussain
36df4aa5d6 util.xml: Fix module name. 2012-12-03 10:01:46 +05:00
Waqas Hussain
38be504b2c util.xml: Initial commit; exposes parse(), which is now the canonical way to convert a string to a stanza. 2012-12-03 05:32:51 +05:00