prosody
53e0ae770917
net/cqueues.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

net/cqueues.lua @ 12180:53e0ae770917

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
author Jonas Schäfer <jonas@wielicki.name>
date Mon, 10 Jan 2022 18:23:54 +0100
parent 10999:37b884d675f7
child 12974:ba409c67353b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6514
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
1 -- Prosody IM
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
2 -- Copyright (C) 2014 Daurnimator
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
3 --
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
4 -- This project is MIT/X11 licensed. Please see the
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
5 -- COPYING file in the source package for more information.
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
6 --
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
7 -- This module allows you to use cqueues with a net.server mainloop
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
8 --
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
9
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
10 local server = require "net.server";
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
11 local cqueues = require "cqueues";
10999
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
12 local timer = require "util.timer";
6538
f1eb66288f60 net.cqueues: Fix incorrect version check
daurnimator <quae@daurnimator.com>
parents: 6537
diff changeset
13 assert(cqueues.VERSION >= 20150113, "cqueues newer than 20150113 required")
6514
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
14
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
15 -- Create a single top level cqueue
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
16 local cq;
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
17
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
18 if server.cq then -- server provides cqueues object
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
19 cq = server.cq;
10996
d742095046f9 net.cqueues: Switch to server.watchfd for main loop integration
Kim Alvefur <zash@zash.se>
parents: 6538
diff changeset
20 elseif server.watchfd then
6514
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
21 cq = cqueues.new();
10999
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
22 local timeout = timer.add_task(cq:timeout() or 0, function ()
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
23 -- FIXME It should be enough to reschedule this timeout instead of replacing it, but this does not work. See https://issues.prosody.im/1572
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
24 assert(cq:loop(0));
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
25 return cq:timeout();
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
26 end);
10996
d742095046f9 net.cqueues: Switch to server.watchfd for main loop integration
Kim Alvefur <zash@zash.se>
parents: 6538
diff changeset
27 server.watchfd(cq:pollfd(), function ()
6514
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
28 assert(cq:loop(0));
10999
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
29 local t = cq:timeout();
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
30 if t then
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
31 timer.stop(timeout);
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
32 timeout = timer.add_task(cq:timeout(), function ()
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
33 assert(cq:loop(0));
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
34 return cq:timeout();
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
35 end);
37b884d675f7 net.cqueues: Fix resuming after timeouts
Kim Alvefur <zash@zash.se>
parents: 10996
diff changeset
36 end
6514
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
37 end);
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
38 else
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
39 error "NYI"
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
40 end
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
41
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
42 return {
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
43 cq = cq;
d425fc41e59f net.cqueues: Add module that allows use of cqueues while still using net.server as main loop
daurnimator <quae@daurnimator.com>
parents:
diff changeset
44 }