Software / code / prosody
Annotate
.hgtags @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 12090:e77735354fad |
| child | 12182:5e21cf21d398 |
| rev | line source |
|---|---|
|
538
26d000f25939
Added tag 0.1.0 for changeset c157c1412bda
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 c157c1412bda91b6e075e70875b4605e3e20b290 0.1.0 |
|
647
02f4ec1115cd
Added tag 0.2 for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
538
diff
changeset
|
2 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 0.2 |
|
651
99f365b758f1
Added tag 0.20, -m, Fix incorrect version number as tag for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
647
diff
changeset
|
3 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 0.20 |
|
99f365b758f1
Added tag 0.20, -m, Fix incorrect version number as tag for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
647
diff
changeset
|
4 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 -m |
|
99f365b758f1
Added tag 0.20, -m, Fix incorrect version number as tag for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
647
diff
changeset
|
5 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 Fix incorrect version number as tag |
|
652
aae898634301
Added tag 0.20, -m, Fix incorrect version number as tag for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
651
diff
changeset
|
6 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 0.20 |
|
aae898634301
Added tag 0.20, -m, Fix incorrect version number as tag for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
651
diff
changeset
|
7 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 -m |
|
aae898634301
Added tag 0.20, -m, Fix incorrect version number as tag for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
651
diff
changeset
|
8 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 Fix incorrect version number as tag |
|
653
1c8a92a90e19
Added tag 0.2.0, -m, Fix incorrect version number as tag (again) for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
652
diff
changeset
|
9 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 0.2.0 |
|
1c8a92a90e19
Added tag 0.2.0, -m, Fix incorrect version number as tag (again) for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
652
diff
changeset
|
10 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 -m |
|
1c8a92a90e19
Added tag 0.2.0, -m, Fix incorrect version number as tag (again) for changeset 90da4c9b34b5
Matthew Wild <mwild1@gmail.com>
parents:
652
diff
changeset
|
11 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 Fix incorrect version number as tag (again) |
|
654
f1b4196ce745
Fix incorrect version number as tag (again) (again)
Matthew Wild <mwild1@gmail.com>
parents:
653
diff
changeset
|
12 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 0.2.0 |
|
655
246155f91d06
Fix incorrect version number as tag (again) (again)
Matthew Wild <mwild1@gmail.com>
parents:
654
diff
changeset
|
13 90da4c9b34b52dc3c3cc2c8f9e633364f7caec16 0.2.0 |
| 656 | 14 0000000000000000000000000000000000000000 0.2 |
| 15 0000000000000000000000000000000000000000 0.20 | |
| 16 0000000000000000000000000000000000000000 -m | |
| 17 0000000000000000000000000000000000000000 Fix incorrect version number as tag | |
| 18 0000000000000000000000000000000000000000 Fix incorrect version number as tag (again) | |
| 19 | |
| 662 | 20 59c3f9a4996969b44180caf7c76430b8edf49426 0.2.0 |
|
764
b8a62ae5601a
Happy birthday to me, happy... 0.3.0!
Matthew Wild <mwild1@gmail.com>
parents:
662
diff
changeset
|
21 8e77a39826c2cd7bb903cf2091473dbfe33f4d2b 0.3.0 |
|
768
a5195e3b0e44
Retagging 0.3.0, used up my mistake quota for today
Matthew Wild <mwild1@gmail.com>
parents:
764
diff
changeset
|
22 13ae298c67d78485f1d795fcc7ffeb2057876fb7 0.3.0 |
| 948 | 23 84202314ab7f974f7e3b5706e65ddadb9b99274b 0.4.0 |
| 949 | 24 4aff205cc4cd5e1e22f5130fecc47d24be1ee5bf 0.4.0 |
| 1129 | 25 b2e548344d61ebbfd1474baedc5aa187f874948a 0.4.1 |
| 1194 | 26 b1b42ce4f0f6a8f587c2925724694c0e8b437dce 0.4.2 |
| 1196 | 27 6b91a2b39680f0f7195fec561a3ce3d660ea0c20 0.4.2 |
| 1563 | 28 06030af44faddd7d3c20e7d380bb55b92b079c5f 0.5.0 |
| 1624 | 29 a63ff2fbba8d0a29503e7552a29fc7c831faa23c 0.5.1 |
| 1802 | 30 cea841708dd462c7634df68e84429402f6cdf71d 0.5.2 |
| 1811 | 31 cea841708dd462c7634df68e84429402f6cdf71d 0.5.2 |
| 32 7c45ae42923a1ef03406e481af2a4a6f356361b8 0.5.2 | |
| 1813 | 33 7c45ae42923a1ef03406e481af2a4a6f356361b8 0.5.2 |
| 34 e32593074602a785d152f9e153825f29db4d0973 0.5.2 | |
| 1838 | 35 e32593074602a785d152f9e153825f29db4d0973 0.5.2 |
| 36 5ae3209fefa2c8dc1c53d08c2c1caa340b8ec542 0.5.2 | |
| 2225 | 37 1a99a3bf3ce6dbdfb362b7fd101d761fb3cc10af 0.6.0 |
| 2226 | 38 81b4e738e4d321b78274132f63a9aec7007e64eb 0.6.1 |
| 2983 | 39 0395f2f34bd55a01ec7276884fb9a4e0051b0e7a 0.6.2 |
| 3225 | 40 ea80531e5cbc567c3e211d38749c45e8b66d33b7 0.7.0 |
| 3241 | 41 ea80531e5cbc567c3e211d38749c45e8b66d33b7 0.7.0 |
| 42 5ea90ee96022b9c106e7e79b4a1d8b2ee99d45dc 0.7.0 | |
| 4242 | 43 49b9e73e31ef38ff1c0141a83f897b5837c40d83 0.8.0 |
| 4256 | 44 aa905291a66c7d8168b1cb912bb173e6478dac05 0.8.1 |
| 4298 | 45 aa905291a66c7d8168b1cb912bb173e6478dac05 0.8.1 |
| 46 3421dfaa81880201e9ade8b4eee727ade9a9ce33 0.8.1 | |
| 4320 | 47 44b131d7041ba40ff2cab6519d1543d33ff679a4 0.8.2 |
|
5803
953942f4d737
Added tag 0.9.0 for changeset 6ef79af0c445
Matthew Wild <mwild1@gmail.com>
parents:
4320
diff
changeset
|
48 6ef79af0c4455851ae45fa4da1033ba2cccada88 0.9.0 |
| 5826 | 49 6bc4077bc1f96ff83795fcc423ff270a28156d1c 0.9.1 |
| 5930 | 50 49e3c49eb0d8f33e94e2bf37e5421deacac5f499 0.9.2 |
| 5934 | 51 49e3c49eb0d8f33e94e2bf37e5421deacac5f499 0.9.2 |
| 52 56b1f151f4a31fcc7dbde49e064a288715077ece 0.9.2 | |
| 5977 | 53 872ff4851c9b6cd662aac4b1a056ac2a97c85ce5 0.9.3 |
| 6051 | 54 5d73412aa1ba39081683ab922575eae93e4e867a 0.9.4 |
| 6369 | 55 8dee696c33cc5f7463c8b9e9fe806b9abd24c115 0.9.5 |
| 6497 | 56 e4b998ffc92249ea96716ab878f961f03769339d 0.9.6 |
| 6500 | 57 9030b056bd4a5b8402c9b1e1cd65dd35f046032f 0.9.7 |
| 6601 | 58 b1c84d220c409b7b17cd41e850576db253406b0a 0.9.8 |
|
7060
eed0632cd636
Added tag 0.9.9 for changeset 7ec52755622f
Matthew Wild <mwild1@gmail.com>
parents:
6601
diff
changeset
|
59 7ec52755622f1009aaf7b02fc9bc91e8ad9974be 0.9.9 |
|
7105
01bd0ac9cf0c
Added tag 0.9.10 for changeset 352270bc0439
Matthew Wild <mwild1@gmail.com>
parents:
7060
diff
changeset
|
60 352270bc04393910a567b569ede03358dbb728b5 0.9.10 |
| 7678 | 61 8613086779fa9276615c2af066d2a10c38d0c86e 0.9.11 |
|
7804
4e649ffdb314
Added tag 0.9.12 for changeset 2a7b52437167
Matthew Wild <mwild1@gmail.com>
parents:
7678
diff
changeset
|
62 2a7b52437167a5c7b6c8a5bc79f4463afe092fd5 0.9.12 |
|
8287
66ab0d1b7303
Added tag 0.10.0 for changeset 39966cbc29f4
Matthew Wild <mwild1@gmail.com>
parents:
7804
diff
changeset
|
63 39966cbc29f46d7ae9660edca8683d5121c82edf 0.10.0 |
|
8587
986c3e22ec32
Added tag 0.9.13 for changeset 082d12728645
Matthew Wild <mwild1@gmail.com>
parents:
7804
diff
changeset
|
64 082d127286451eb55420c36424dd321e8d9bceee 0.9.13 |
|
8790
85f13967eb07
Added tag 0.10.1 for changeset 4ae8dd415e94
Matthew Wild <mwild1@gmail.com>
parents:
8590
diff
changeset
|
65 4ae8dd415e9431924ad4aa0b57bcee8a4a9272f8 0.10.1 |
|
8845
c6b45cac9423
Added tag 0.9.14 for changeset 29c6d2681bad
Matthew Wild <mwild1@gmail.com>
parents:
8587
diff
changeset
|
66 29c6d2681bad9f67d8bd548bb3a7973473bae91e 0.9.14 |
|
8880
9e565d0b1771
Added tag 0.10.2 for changeset 7ec098b68042
Matthew Wild <mwild1@gmail.com>
parents:
8846
diff
changeset
|
67 7ec098b68042f60687f1002e788b34b06048945d 0.10.2 |
|
9639
78caa4aafda1
Added tag 0.11.0 for changeset 83f3a05c1b1b
Matthew Wild <mwild1@gmail.com>
parents:
8880
diff
changeset
|
68 83f3a05c1b1bb9b54b3b153077a06eb02e247c8e 0.11.0 |
|
9655
e9b8982e3b5d
Added tag 0.11.1 for changeset 91856829f18b
Matthew Wild <mwild1@gmail.com>
parents:
9639
diff
changeset
|
69 91856829f18bb8ef7056ca02464122fc6de17807 0.11.1 |
|
9773
7e053c022782
Added tag 0.10.3 for changeset bb8486491b48
Matthew Wild <mwild1@gmail.com>
parents:
8880
diff
changeset
|
70 bb8486491b48431236c0d32548c20d9853781e69 0.10.3 |
|
9776
c6cf32de940d
Added tag 0.11.2 for changeset 4f8b6c09e5f3
Matthew Wild <mwild1@gmail.com>
parents:
9774
diff
changeset
|
71 4f8b6c09e5f328e3d3d4233dc78fa4fd0535171c 0.11.2 |
|
10236
37ddbfea561e
Added tag 0.11.3 for changeset dd7e924c74ef
Matthew Wild <mwild1@gmail.com>
parents:
9776
diff
changeset
|
72 dd7e924c74ef27b7f92eb872d2db50aaa229b234 0.11.3 |
|
10606
aa8d133f2ee7
Added tag 0.11.4 for changeset 10d6d0d91f4e
Kim Alvefur <zash@zash.se>
parents:
10236
diff
changeset
|
73 10d6d0d91f4ec47a6eb446792fee1d4b79a914d7 0.11.4 |
|
10605
f7dd32974f15
Added tag 0.11.5 for changeset dbd60f473164
Matthew Wild <mwild1@gmail.com>
parents:
10236
diff
changeset
|
74 dbd60f47316492bc367802914dc8fa47f4b3edac 0.11.5 |
|
11061
45e1c467a3a7
Added tag 0.11.6 for changeset bacca65ce107
Matthew Wild <mwild1@gmail.com>
parents:
10607
diff
changeset
|
75 bacca65ce107b8549ce5f9079e81e5771eed2021 0.11.6 |
|
11119
68df52bf08d5
Added tag 0.11.7 for changeset ece430d49809
Matthew Wild <mwild1@gmail.com>
parents:
11061
diff
changeset
|
76 0000000000000000000000000000000000000000 0.11.7 |
|
68df52bf08d5
Added tag 0.11.7 for changeset ece430d49809
Matthew Wild <mwild1@gmail.com>
parents:
11061
diff
changeset
|
77 ece430d4980997b216c2240015bf922bdeb12dd6 0.11.7 |
| 11377 | 78 774811e2c6abfc5a1b1dd60007cf564bb7c1f969 0.11.8 |
|
11559
56785f32e1d4
Added tag 0.11.9 for changeset d0e9ffccdef9
Matthew Wild <mwild1@gmail.com>
parents:
11377
diff
changeset
|
79 d0e9ffccdef934af554ea2d4a5beb9a52e9e951d 0.11.9 |
| 11824 | 80 d117b92fd8e459170a98a8dece7f3930f4b6aed7 0.11.10 |
| 12090 | 81 76b4e3f12b53fedae96402d87fa9ee79e704ce5e 0.11.11 |
