mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
prosody/spec
History
Jonas Schäfer e0b15fcba3 util.xml: Do not allow doctypes, comments or processing instructions 
Yes. This is as bad as it sounds. CVE pending.

In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.

This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.

This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
2022-01-10 18:23:54 +01:00
..
inputs/http net.http.parser: Add failing test for (large?) chunk-encoded responses 2020-08-21 13:41:51 +01:00
json Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
scansion mod_tombstones: Add a very basic test case 2021-12-23 15:17:18 +01:00
core_configmanager_spec.lua configmanager tests: Split long line 2019-12-09 11:57:10 +00:00
core_moduleapi_spec.lua spec: Trim trailing whitespace 2018-03-06 06:27:20 +01:00
core_storagemanager_spec.lua core.storagemanager: Respect archive ids issued by storage drivers in tests 2021-08-15 12:28:58 +02:00
mod_bosh_spec.lua mod_bosh: Add tests (run with 'busted -r bosh') 2018-09-23 17:12:21 +01:00
muc_util_spec.lua spec: Include a hacky moduleapi stub to allow test to proceed 2020-04-11 17:59:39 +02:00
net_http_parser_spec.lua net.http.parser: Allow configuration of the chunk size fed to the parser 2020-08-21 14:14:29 +01:00
net_http_server_spec.lua net.http.server: Prevent loading of net.server in tests (breaks unrelated tests for some reason) 2018-03-24 00:06:55 +01:00
net_websocket_frames_spec.lua net.websocket.frames: Add test for empty frame with MASK and key set 2020-10-15 14:01:22 +01:00
utf8_sequences.txt Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_argparse_spec.lua util.argparse: Add test for #1691 2021-10-12 14:54:04 +02:00
util_array_spec.lua util.array: Add :slice() method + tests 2021-09-12 10:50:20 +01:00
util_async_spec.lua util.async tests: Explicitly import match from luassert (luacheck) 2021-11-29 14:22:08 +00:00
util_cache_spec.lua util.cache: Add test for :table (fails on Lua 5.1) 2021-02-05 16:14:06 +01:00
util_dataforms_spec.lua util.dataforms: Ensure larger integers are serialized as such 2021-10-28 13:00:24 +02:00
util_datamanager_spec.lua util.datamanager: Add basic tests 2021-02-09 23:25:30 +01:00
util_datamapper_spec.lua util_datamapper: Fix typo in unit tests 2021-12-29 18:03:26 +01:00
util_datetime_spec.lua util.datetime: Add tests 2017-11-19 20:51:53 +01:00
util_dbuffer_spec.lua util.dbuffer: Fix bugs, remove multi-char support (more complex than first thought) 2021-06-29 14:25:57 +01:00
util_debug_spec.lua util.debug: Fix locals being reported under wrong stack frame in some cases (+tests!!) 2020-10-16 13:38:04 +01:00
util_encodings_spec.lua spec/util.encodings: Test a lonly padding (can appear like this in SASL) 2017-11-03 15:44:43 +01:00
util_envload_spec.lua util.envload: Add basic test of envload() 2021-03-26 13:03:22 +01:00
util_error_spec.lua util.error: Add coerce and wrap methods to registry(?) objects 2020-12-09 13:55:10 +00:00
util_events_spec.lua util.event: Add luacheck annotation to unused parameter in tests 2020-09-03 13:10:46 +01:00
util_format_spec.lua util.format: Ensure metatable __tostring results are also sanitized 2021-12-13 16:34:55 +01:00
util_hashes_spec.lua util.hashes: Fix output length of PBKDF2-HMAC-SHA256 2020-04-22 21:38:36 +02:00
util_hashring_spec.lua util.hashring: Add tests 2019-05-13 10:36:03 +01:00
util_hmac_spec.lua util.hmac: Ignore long hex lines in tests 2019-04-19 13:17:49 +02:00
util_http_spec.lua spec: Add test cases for util.http.contains_token 2020-04-10 20:20:14 +02:00
util_human_io_spec.lua util.human.io: Fix cutting of UTF-8 into pieces 2021-11-12 14:21:15 +01:00
util_human_units_spec.lua util.human.units: A library for formatting numbers with SI units 2019-01-04 08:46:26 +01:00
util_indexedbheap_spec.lua util.indexedbheap: Fix heap datastructure corruption in :reschedule(smaller_value) 2020-09-29 21:27:16 -05:00
util_interpolation_spec.lua util.interpolation: Add test for #1623 2021-01-25 21:27:05 +01:00
util_ip_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_iterators_spec.lua util.iterators tests: Check value matches expected [luacheck] 2018-09-21 14:30:20 +01:00
util_jid_spec.lua util.jid: Add test coverage for XEP-0106: JID Escaping functions 2020-08-28 18:43:37 +02:00
util_json_spec.lua util.json: Test util.array integration 2020-01-15 21:14:06 +01:00
util_jwt_spec.lua util.jwt: Remove unused return value from tests [luacheck] 2020-02-24 09:10:28 +01:00
util_multitable_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_paths_spec.lua util_paths_spec: Trim trailing white space 2020-10-17 19:24:44 +02:00
util_poll_spec.lua util.poll: Test that it loads after being compiled 2018-09-15 01:01:04 +02:00
util_promise_spec.lua util.promise: Fix test 2021-11-26 22:38:07 +01:00
util_pubsub_spec.lua util.pubsub: Fix item store resize to "max" 2022-01-06 01:18:35 +01:00
util_queue_spec.lua util.queue: Add 'consume()' convenience iterator 2019-03-23 08:47:55 +00:00
util_random_spec.lua spec/util.random: Check a larger range of sizes 2017-12-03 15:37:17 +01:00
util_rfc6724_spec.lua Port tests to the busted test runner 2017-09-15 17:07:57 -04:00
util_ringbuffer_spec.lua util.ringbuffer: Fix accidentally committed test change (thanks buildbot) 2020-06-25 15:45:13 +01:00
util_rsm_spec.lua util.rsm: Increase test coverage 2021-03-06 18:22:52 +01:00
util_sasl_spec.lua util.sasl: Add stub tests 2019-12-14 22:43:12 +01:00
util_serialization_spec.lua util.serialization: Add option for allowing multiple references to the same table (but not cycles) 2018-10-27 12:43:03 +02:00
util_smqueue_spec.lua util.smqueue: Simplify compat table, fix dependent modules (thanks Martin) 2021-12-16 12:16:45 +01:00
util_stanza_spec.lua util.stanza: Cover :find method in tests 2021-12-31 14:14:03 +01:00
util_strbitop.lua util.strbitop: Add tests covering basics 2020-10-15 16:41:51 +02:00
util_table_spec.lua util.table: Add test for create() 2018-12-23 15:01:37 +01:00
util_throttle_spec.lua Fix various spelling mistakes [codespell] 2019-05-03 20:54:24 +02:00
util_time_spec.lua util.time: Add brief tests 2018-08-18 00:41:49 +02:00
util_uuid_spec.lua util.random: Remove obsolete noop seed function 2017-09-16 17:22:51 +02:00
util_xml_spec.lua util.xml: Do not allow doctypes, comments or processing instructions 2022-01-10 18:23:54 +01:00
util_xmppstream_spec.lua util.xmppstream: Add tests for various XML features forbidden by the RFC 2018-07-11 11:58:25 +01:00