Software / code / prosody
Annotate
COPYING @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 4304:73bf8aab8b77 |
| child | 12353:5ace23519e71 |
| rev | line source |
|---|---|
|
4303
9f10476e1af4
COPYING: Update copyright year; it's 2011 already.
Waqas Hussain <waqas20@gmail.com>
parents:
767
diff
changeset
|
1 Copyright (c) 2008-2011 Matthew Wild |
|
9f10476e1af4
COPYING: Update copyright year; it's 2011 already.
Waqas Hussain <waqas20@gmail.com>
parents:
767
diff
changeset
|
2 Copyright (c) 2008-2011 Waqas Hussain |
| 478 | 3 |
|
767
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
4 Permission is hereby granted, free of charge, to any person obtaining a copy |
|
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
5 of this software and associated documentation files (the "Software"), to deal |
|
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
6 in the Software without restriction, including without limitation the rights |
|
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
7 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
|
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
8 copies of the Software, and to permit persons to whom the Software is |
|
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
9 furnished to do so, subject to the following conditions: |
| 478 | 10 |
|
767
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
11 The above copyright notice and this permission notice shall be included in |
|
13ae298c67d7
Update COPYING file... probably the worst thing I could forget to commit in this release :)
Matthew Wild <mwild1@gmail.com>
parents:
521
diff
changeset
|
12 all copies or substantial portions of the Software. |
| 478 | 13 |
|
4304
73bf8aab8b77
COPYING: Reflow the all-caps text. It was wrapping really badly in the Windows installer.
Waqas Hussain <waqas20@gmail.com>
parents:
4303
diff
changeset
|
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
|
73bf8aab8b77
COPYING: Reflow the all-caps text. It was wrapping really badly in the Windows installer.
Waqas Hussain <waqas20@gmail.com>
parents:
4303
diff
changeset
|
15 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
|
73bf8aab8b77
COPYING: Reflow the all-caps text. It was wrapping really badly in the Windows installer.
Waqas Hussain <waqas20@gmail.com>
parents:
4303
diff
changeset
|
16 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. |
|
73bf8aab8b77
COPYING: Reflow the all-caps text. It was wrapping really badly in the Windows installer.
Waqas Hussain <waqas20@gmail.com>
parents:
4303
diff
changeset
|
17 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY |
|
73bf8aab8b77
COPYING: Reflow the all-caps text. It was wrapping really badly in the Windows installer.
Waqas Hussain <waqas20@gmail.com>
parents:
4303
diff
changeset
|
18 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
|
73bf8aab8b77
COPYING: Reflow the all-caps text. It was wrapping really badly in the Windows installer.
Waqas Hussain <waqas20@gmail.com>
parents:
4303
diff
changeset
|
19 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE |
|
73bf8aab8b77
COPYING: Reflow the all-caps text. It was wrapping really badly in the Windows installer.
Waqas Hussain <waqas20@gmail.com>
parents:
4303
diff
changeset
|
20 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
