Software / code / prosody
Annotate
util/caps.lua @ 13854:0b01f40df0f9 13.0
mod_http_file_share: Add media-src 'self' to Content-Security-Policy header
This allows certain media files to be loaded when navigated to directly in a
web browser.
Note that in some browsers (Chrome), the media gets transformed
internally into a HTML page with some basic styles, but these are blocked due
to our default-src policy of 'none' Although this could be unblocked with
style-src unsafe-inline, it is not our plan to fix this, because this would
have negative security implications.
The reason for our CSP is to prevent the file share service from being used to
host malicious HTML/CSS/JS. Yes, CSS can be malicious.
Our file share service is for uploading and downloading files, it is not a
substitute for website/content hosting.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Fri, 18 Apr 2025 12:25:06 +0100 |
| parent | 12975:d10957394a3c |
| rev | line source |
|---|---|
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 -- Prosody IM |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
3342
diff
changeset
|
4 -- |
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 -- |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
12975
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
9 local base64 = require "prosody.util.encodings".base64.encode; |
|
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
8555
diff
changeset
|
10 local sha1 = require "prosody.util.hashes".sha1; |
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 local t_insert, t_sort, t_concat = table.insert, table.sort, table.concat; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local ipairs = ipairs; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
15 local _ENV = nil; |
|
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
16 -- luacheck: std none |
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
18 local function calculate_hash(disco_info) |
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 local identities, features, extensions = {}, {}, {}; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 for _, tag in ipairs(disco_info) do |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 if tag.name == "identity" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 t_insert(identities, (tag.attr.category or "").."\0"..(tag.attr.type or "").."\0"..(tag.attr["xml:lang"] or "").."\0"..(tag.attr.name or "")); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 elseif tag.name == "feature" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 t_insert(features, tag.attr.var or ""); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 elseif tag.name == "x" and tag.attr.xmlns == "jabber:x:data" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 local form = {}; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 local FORM_TYPE; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 for _, field in ipairs(tag.tags) do |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 if field.name == "field" and field.attr.var then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 local values = {}; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 for _, val in ipairs(field.tags) do |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 val = #val.tags == 0 and val:get_text(); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 if val then t_insert(values, val); end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 t_sort(values); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 if field.attr.var == "FORM_TYPE" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 FORM_TYPE = values[1]; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 elseif #values > 0 then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 t_insert(form, field.attr.var.."\0"..t_concat(values, "<")); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 else |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 t_insert(form, field.attr.var); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 t_sort(form); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 form = t_concat(form, "<"); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 if FORM_TYPE then form = FORM_TYPE.."\0"..form; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 t_insert(extensions, form); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 t_sort(identities); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 t_sort(features); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 t_sort(extensions); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 if #identities > 0 then identities = t_concat(identities, "<"):gsub("%z", "/").."<"; else identities = ""; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 if #features > 0 then features = t_concat(features, "<").."<"; else features = ""; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 if #extensions > 0 then extensions = t_concat(extensions, "<"):gsub("%z", "<").."<"; else extensions = ""; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 local S = identities..features..extensions; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 local ver = base64(sha1(S)); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 return ver, S; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
62 return { |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
63 calculate_hash = calculate_hash; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
64 }; |
