mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 05:07:42 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
prosody/spec
History
Jonas Schäfer 23a43df6fb util.xml: Do not allow doctypes, comments or processing instructions 
Yes. This is as bad as it sounds. CVE pending.

In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.

This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.

This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
2022-01-10 18:23:54 +01:00
..
json Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
scansion MUC: Fix logic for access to affiliation lists 2021-07-22 17:18:39 +02:00
core_configmanager_spec.lua spec: Correct order of arguments to asserts in configmanager tests 2018-08-11 19:59:19 +02:00
core_moduleapi_spec.lua spec: Trim trailing whitespace 2018-03-06 06:27:20 +01:00
core_storagemanager_spec.lua storagemanager: Fix tests on Lua 5.3 2018-10-21 21:03:54 +02:00
mod_bosh_spec.lua mod_bosh: Add tests (run with 'busted -r bosh') 2018-09-23 17:12:21 +01:00
muc_util_spec.lua tests: Add muc/util tests for filtering MUC elements 2018-08-19 13:20:55 +01:00
net_http_parser_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
net_http_server_spec.lua net.http.server: Prevent loading of net.server in tests (breaks unrelated tests for some reason) 2018-03-24 00:06:55 +01:00
net_websocket_frames_spec.lua net.websocket.frames: Add test for empty frame with MASK and key set 2020-10-15 14:01:22 +01:00
utf8_sequences.txt Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_async_spec.lua util.async: Remove async.once(), can now be replaced by runner():run(func) 2018-03-23 14:22:01 +00:00
util_cache_spec.lua util.cache tests: Add annotation to fix [luacheck] warning 2018-09-17 15:25:47 +01:00
util_dataforms_spec.lua util.dataforms: Add support for XEP-0122: Data Forms Validation 2018-09-01 03:10:09 +02:00
util_datetime_spec.lua util.datetime: Add tests 2017-11-19 20:51:53 +01:00
util_dbuffer_spec.lua util.dbuffer: Expose length as :len() method, like strings 2020-10-12 20:20:02 +02:00
util_debug_spec.lua util.debug: Fix locals being reported under wrong stack frame in some cases (+tests!!) 2020-10-16 13:38:04 +01:00
util_encodings_spec.lua spec/util.encodings: Test a lonly padding (can appear like this in SASL) 2017-11-03 15:44:43 +01:00
util_events_spec.lua Fix wrong tests committed with 7b621a4a2e8d 2018-05-18 15:20:32 +01:00
util_format_spec.lua util.format: Add test coverage for case of extra nil argument 2018-03-17 19:47:48 +01:00
util_http_spec.lua util.http: Add tests for normalize_path 2018-10-14 14:32:02 +02:00
util_indexedbheap_spec.lua util.indexedbheap: Fix heap datastructure corruption in :reschedule(smaller_value) 2020-09-29 21:27:16 -05:00
util_ip_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_iterators_spec.lua util.iterators tests: Check value matches expected [luacheck] 2018-09-21 14:30:20 +01:00
util_jid_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_json_spec.lua util.json tests: Add [luacheck] annotation to mark intentionally-empty if branch 2018-09-17 15:28:53 +01:00
util_multitable_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_poll_spec.lua util.poll: Test that it loads after being compiled 2018-09-15 01:01:04 +02:00
util_promise_spec.lua util.promise: Add tests ensuring returning a promise resolves the current promise with that promise 2018-10-26 09:23:00 +01:00
util_pubsub_spec.lua util.pubsub: Validate node configuration on node creation (fixes #1328) 2019-03-03 19:31:56 +01:00
util_queue_spec.lua spec/util_queue: Add iterator and peek tests for 100% line coverage 2017-09-16 10:16:08 +01:00
util_random_spec.lua spec/util.random: Check a larger range of sizes 2017-12-03 15:37:17 +01:00
util_rfc6724_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_serialization_spec.lua util.serialization: Add option for allowing multiple references to the same table (but not cycles) 2018-10-27 12:43:03 +02:00
util_stanza_spec.lua util.stanza: Reject ASCII control characters (fixes #1606) 2020-11-11 16:00:41 +01:00
util_strbitop.lua util.strbitop: Add tests covering basics 2020-10-15 16:41:51 +02:00
util_throttle_spec.lua util_throttle_spec: Fix minor typo in test title 2017-12-21 12:22:46 -05:00
util_time_spec.lua util.time: Add brief tests 2018-08-18 00:41:49 +02:00
util_uuid_spec.lua util.random: Remove obsolete noop seed function 2017-09-16 17:22:51 +02:00
util_xml_spec.lua util.xml: Do not allow doctypes, comments or processing instructions 2022-01-10 18:23:54 +01:00
util_xmppstream_spec.lua util.xmppstream: Add tests for various XML features forbidden by the RFC 2018-07-11 11:58:25 +01:00