prosody-modules
527c747711f3
mod_clean_roster/mod_clean_roster.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_clean_roster/mod_clean_roster.lua @ 5705:527c747711f3

mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:30:49 +0100
parent 5085:e384b91d0aa7
line wrap: on
line source

local s_find = string.find;

local pctl = require "util.prosodyctl";

local rostermanager = require "core.rostermanager";
local storagemanager = require "core.storagemanager";
local usermanager = require "core.usermanager";

-- copypaste from util.stanza
local function valid_xml_cdata(str, attr)
	return not s_find(str, attr and "[^\1\9\10\13\20-~\128-\247]" or "[^\9\10\13\20-~\128-\247]");
end

function module.command(_arg)
	if select(2, pctl.isrunning()) then
		pctl.show_warning("Stop Prosody before running this command");
		return 1;
	end

	for hostname, host in pairs(prosody.hosts) do
		if hostname ~= "*" then
			if host.users.name == "null" then
				storagemanager.initialize_host(hostname);
				usermanager.initialize_host(hostname);
			end
			local fixes = 0;
			for username in host.users.users() do
				local roster = rostermanager.load_roster(username, hostname);
				local changed = false;
				for contact, item in pairs(roster) do
					if contact ~= false then
						if item.name and not valid_xml_cdata(item.name, false) then
							item.name = item.name:gsub("[^\9\10\13\20-~\128-\247]", "�");
							fixes = fixes + 1;
							changed = true;
						end
						local clean_groups = {};
						for group in pairs(item.groups) do
							if valid_xml_cdata(group, false) then
								clean_groups[group] = true;
							else
								clean_groups[group:gsub("[^\9\10\13\20-~\128-\247]",  "�")] = true;
								fixes = fixes + 1;
								changed = true;
							end
						end
						item.groups = clean_groups;
					else
						-- pending entries etc
					end
				end
				if changed then
					assert(rostermanager.save_roster(username, hostname, roster));
				end
			end
			pctl.show_message("Fixed %d items on host %s", fixes, hostname);
		end
	end
	return 0;
end