Annotate

plugins/mod_ping.lua @ 12181:783056b4e448 0.11 0.11.12

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
author Jonas Schäfer <jonas@wielicki.name>
date Mon, 10 Jan 2022 18:23:54 +0100
parent 9572:867e40b82409
child 10399:270cb2821566
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1511
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2011
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2011
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 4129
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
7 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
8
1511
f9f8b7184cbe mod_ping: Convert from Windows line endings
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
9 local st = require "util.stanza";
f9f8b7184cbe mod_ping: Convert from Windows line endings
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
10
f9f8b7184cbe mod_ping: Convert from Windows line endings
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
11 module:add_feature("urn:xmpp:ping");
f9f8b7184cbe mod_ping: Convert from Windows line endings
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
12
2011
8159497c86e3 mod_ping: Updated to use events (which also fixes a few minor issues).
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
13 local function ping_handler(event)
6012
7e8a624272bf mod_ping: Use type-specific event
Kim Alvefur <zash@zash.se>
parents: 5776
diff changeset
14 return event.origin.send(st.reply(event.stanza));
2011
8159497c86e3 mod_ping: Updated to use events (which also fixes a few minor issues).
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
15 end
8159497c86e3 mod_ping: Updated to use events (which also fixes a few minor issues).
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
16
6012
7e8a624272bf mod_ping: Use type-specific event
Kim Alvefur <zash@zash.se>
parents: 5776
diff changeset
17 module:hook("iq-get/bare/urn:xmpp:ping:ping", ping_handler);
7e8a624272bf mod_ping: Use type-specific event
Kim Alvefur <zash@zash.se>
parents: 5776
diff changeset
18 module:hook("iq-get/host/urn:xmpp:ping:ping", ping_handler);
3486
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
19
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
20 -- Ad-hoc command
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
21
4129
c86b68abe12e mod_ping: Use util.datetime to generate timestamp in ad-hoc command response (instead of the current use of os.date, which doesn't take timezone into account).
Waqas Hussain <waqas20@gmail.com>
parents: 3486
diff changeset
22 local datetime = require "util.datetime".datetime;
c86b68abe12e mod_ping: Use util.datetime to generate timestamp in ad-hoc command response (instead of the current use of os.date, which doesn't take timezone into account).
Waqas Hussain <waqas20@gmail.com>
parents: 3486
diff changeset
23
8729
c519c778f2b2 mod_ping: Ignore unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents: 6012
diff changeset
24 function ping_command_handler (self, data, state) -- luacheck: ignore 212
4129
c86b68abe12e mod_ping: Use util.datetime to generate timestamp in ad-hoc command response (instead of the current use of os.date, which doesn't take timezone into account).
Waqas Hussain <waqas20@gmail.com>
parents: 3486
diff changeset
25 local now = datetime();
3486
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
26 return { info = "Pong\n"..now, status = "completed" };
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
27 end
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
28
8963
ff522d5db95d mod_ping: Fix typo
Kim Alvefur <zash@zash.se>
parents: 8961
diff changeset
29 module:depends "adhoc";
3486
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
30 local adhoc_new = module:require "adhoc".new;
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
31 local descriptor = adhoc_new("Ping", "ping", ping_command_handler);
9572
867e40b82409 mod_ping, mod_uptime: Use module:provides
Kim Alvefur <zash@zash.se>
parents: 8963
diff changeset
32 module:provides("adhoc", descriptor);
3486
8a46bb70016f mod_ping: Add ad-hoc command
Florian Zeitz <florob@babelmonkeys.de>
parents: 2923
diff changeset
33