Annotate

plugins/muc/language.lib.lua @ 12181:783056b4e448 0.11 0.11.12

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
author Jonas Schäfer <jonas@wielicki.name>
date Mon, 10 Jan 2022 18:23:54 +0100
parent 9035:173c0e16e704
child 10063:13ccc2f05007
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
1 -- Prosody IM
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
4 -- Copyright (C) 2014 Daurnimator
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
5 --
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
6 -- This project is MIT/X11 licensed. Please see the
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
7 -- COPYING file in the source package for more information.
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
8 --
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
9
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
10 local function get_language(room)
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
11 return room._data.language;
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
12 end
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
13
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
14 local function set_language(room, language)
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
15 if language == "" then language = nil; end
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
16 if get_language(room) == language then return false; end
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
17 room._data.language = language;
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
18 return true;
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
19 end
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
20
8829
6dd7fea941f6 MUC: Use correct field name for description in disco#info (fixes #1148)
Kim Alvefur <zash@zash.se>
parents: 7401
diff changeset
21 local function add_disco_form(event)
6dd7fea941f6 MUC: Use correct field name for description in disco#info (fixes #1148)
Kim Alvefur <zash@zash.se>
parents: 7401
diff changeset
22 table.insert(event.form, {
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
23 name = "muc#roominfo_lang";
8830
5d7db3c7c026 MUC: Pass description via formdata field where it should be
Kim Alvefur <zash@zash.se>
parents: 8829
diff changeset
24 value = "";
8829
6dd7fea941f6 MUC: Use correct field name for description in disco#info (fixes #1148)
Kim Alvefur <zash@zash.se>
parents: 7401
diff changeset
25 });
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
26 event.formdata["muc#roominfo_lang"] = get_language(event.room);
8829
6dd7fea941f6 MUC: Use correct field name for description in disco#info (fixes #1148)
Kim Alvefur <zash@zash.se>
parents: 7401
diff changeset
27 end
6dd7fea941f6 MUC: Use correct field name for description in disco#info (fixes #1148)
Kim Alvefur <zash@zash.se>
parents: 7401
diff changeset
28
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
29 local function add_form_option(event)
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
30 table.insert(event.form, {
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
31 name = "muc#roomconfig_lang";
9034
1c709e3d2e5e MUC: Improve labels of all config form items
Matthew Wild <mwild1@gmail.com>
parents: 8833
diff changeset
32 label = "Language tag for room (e.g. 'en', 'de', 'fr' etc.)";
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
33 type = "text-single";
9034
1c709e3d2e5e MUC: Improve labels of all config form items
Matthew Wild <mwild1@gmail.com>
parents: 8833
diff changeset
34 desc = "Indicate the primary language spoken in this room";
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
35 value = get_language(event.room) or "";
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
36 });
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
37 end
8831
f25fa63750fb MUC: Some spacing to improve readability
Kim Alvefur <zash@zash.se>
parents: 8830
diff changeset
38
8829
6dd7fea941f6 MUC: Use correct field name for description in disco#info (fixes #1148)
Kim Alvefur <zash@zash.se>
parents: 7401
diff changeset
39 module:hook("muc-disco#info", add_disco_form);
9035
173c0e16e704 MUC: Add sections in room config form
Matthew Wild <mwild1@gmail.com>
parents: 9034
diff changeset
40 module:hook("muc-config-form", add_form_option, 100-3);
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
41
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
42 module:hook("muc-config-submitted/muc#roomconfig_lang", function(event)
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
43 if set_language(event.room, event.value) then
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
44 event.status_codes["104"] = true;
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
45 end
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
46 end);
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
47
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
48 return {
8833
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
49 get = get_language;
9c90cd2fc4c3 MUC: Add support for setting a room language (closes #1149)
Kim Alvefur <zash@zash.se>
parents: 8831
diff changeset
50 set = set_language;
6204
c3254827698d plugins/muc/muc.lib: Move description functions out to own file
daurnimator <quae@daurnimator.com>
parents:
diff changeset
51 };