prosody
53e0ae770917
plugins/mod_server_contact_info.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

plugins/mod_server_contact_info.lua @ 12180:53e0ae770917

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
author Jonas Schäfer <jonas@wielicki.name>
date Mon, 10 Jan 2022 18:23:54 +0100
parent 11584:8bea29d1f82d
child 12977:74b9e05af71e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
8257
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 -- XEP-0157: Contact Addresses for XMPP Services for Prosody
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 --
9334
a86736e0163c mod_server_contact_info: Update copyright header
Kim Alvefur <zash@zash.se>
parents: 9333
diff changeset
3 -- Copyright (C) 2011-2018 Kim Alvefur
8257
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 --
9334
a86736e0163c mod_server_contact_info: Update copyright header
Kim Alvefur <zash@zash.se>
parents: 9333
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
a86736e0163c mod_server_contact_info: Update copyright header
Kim Alvefur <zash@zash.se>
parents: 9333
diff changeset
6 -- COPYING file in the source package for more information.
8257
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 --
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 local array = require "util.array";
11583
4ee7a6a8753e mod_server_contact_info: Apply JID normalization
Kim Alvefur <zash@zash.se>
parents: 11010
diff changeset
10 local jid = require "util.jid";
11584
8bea29d1f82d mod_server_contact_info: Generate properly escaped URIs from 'admins'
Kim Alvefur <zash@zash.se>
parents: 11583
diff changeset
11 local url = require "socket.url";
8257
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 -- Source: http://xmpp.org/registrar/formtypes.html#http:--jabber.org-network-serverinfo
9333
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
14 local form_layout = require "util.dataforms".new({
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
15 { var = "FORM_TYPE"; type = "hidden"; value = "http://jabber.org/network/serverinfo"; };
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
16 { name = "abuse", var = "abuse-addresses", type = "list-multi" },
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
17 { name = "admin", var = "admin-addresses", type = "list-multi" },
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
18 { name = "feedback", var = "feedback-addresses", type = "list-multi" },
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
19 { name = "sales", var = "sales-addresses", type = "list-multi" },
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
20 { name = "security", var = "security-addresses", type = "list-multi" },
11010
6b27cb706b89 mod_server_contact_info: Add status-addresses field
Kim Alvefur <zash@zash.se>
parents: 9428
diff changeset
21 { name = "status", var = "status-addresses", type = "list-multi" },
9333
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
22 { name = "support", var = "support-addresses", type = "list-multi" },
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
23 });
8257
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24
9428
8e7feec95e8d mod_server_contact_info: Comment on fallback to using 'admins'
Kim Alvefur <zash@zash.se>
parents: 9334
diff changeset
25 -- JIDs of configured service admins are used as fallback
9333
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
26 local admins = module:get_option_inherited_set("admins", {});
8257
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
9333
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
28 local contact_config = module:get_option("contact_info", {
11584
8bea29d1f82d mod_server_contact_info: Generate properly escaped URIs from 'admins'
Kim Alvefur <zash@zash.se>
parents: 11583
diff changeset
29 admin = array.collect(admins / jid.prep / function(admin) return url.build({scheme = "xmpp"; path = admin}); end);
9333
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
30 });
8257
c24837f57259 mod_server_contact_info: Import from prosody-modules 2c59f2f0c37d (fixes #778)
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31
9333
fd704adc62e1 mod_server_contact_info: Simplify
Kim Alvefur <zash@zash.se>
parents: 8257
diff changeset
32 module:add_extension(form_layout:form(contact_config, "result"));