Software / code / prosody
Annotate
README @ 12180:53e0ae770917
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 10692:a0480ee2233a |
| child | 12223:a68f1617721b |
| rev | line source |
|---|---|
|
1192
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 # Prosody IM Server |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 ## Description |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 Prosody is a server for Jabber/XMPP written in Lua. It aims to be easy |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 to use and light on resources. For developers, it aims to give a |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 flexible system on which to rapidly develop added functionality or |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 rapidly prototype new protocols. |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 ## Useful links |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
|
7359
a5a080c12c96
Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2665
diff
changeset
|
12 Homepage: https://prosody.im/ |
|
a5a080c12c96
Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2665
diff
changeset
|
13 Download: https://prosody.im/download |
|
a5a080c12c96
Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2665
diff
changeset
|
14 Documentation: https://prosody.im/doc/ |
|
9945
606b2567ff18
README: Add link to current issue tracker
Kim Alvefur <zash@zash.se>
parents:
9944
diff
changeset
|
15 Issue tracker: https://issues.prosody.im/ |
|
1192
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 Jabber/XMPP Chat: |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 Address: |
|
1391
b910ef82622d
README: Update for new MUC address
Matthew Wild <mwild1@gmail.com>
parents:
1192
diff
changeset
|
19 prosody@conference.prosody.im |
|
1192
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 Web interface: |
|
10692
a0480ee2233a
README: Update link to web chat
Kim Alvefur <zash@zash.se>
parents:
9945
diff
changeset
|
21 https://chat.prosody.im/ |
|
1192
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 Mailing lists: |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 User support and discussion: |
|
7359
a5a080c12c96
Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2665
diff
changeset
|
25 https://groups.google.com/group/prosody-users |
|
1192
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 Development discussion: |
|
7359
a5a080c12c96
Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2665
diff
changeset
|
28 https://groups.google.com/group/prosody-dev |
|
1192
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 ## Installation |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 See the accompanying INSTALL file for help on building Prosody from source. Alternatively |
|
7359
a5a080c12c96
Update every link to the documentation to use HTTPS
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2665
diff
changeset
|
33 see our guide at https://prosody.im/doc/install |
|
1192
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 |
|
b1b42ce4f0f6
Finally add README and INSTALL files
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 |
