Software / code / prosody
Annotate
plugins/muc/hats.lib.lua @ 12180:53e0ae770917
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 11245:43b43e7156b8 |
| child | 12977:74b9e05af71e |
| rev | line source |
|---|---|
|
10693
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local st = require "util.stanza"; |
|
10714
9ecad2304297
MUC: Switch hats to new presence APIs
Matthew Wild <mwild1@gmail.com>
parents:
10693
diff
changeset
|
2 local muc_util = module:require "muc/util"; |
|
10693
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local xmlns_hats = "xmpp:prosody.im/protocol/hats:1"; |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
|
10714
9ecad2304297
MUC: Switch hats to new presence APIs
Matthew Wild <mwild1@gmail.com>
parents:
10693
diff
changeset
|
6 -- Strip any hats claimed by the client (to prevent spoofing) |
|
9ecad2304297
MUC: Switch hats to new presence APIs
Matthew Wild <mwild1@gmail.com>
parents:
10693
diff
changeset
|
7 muc_util.add_filtered_namespace(xmlns_hats); |
|
10693
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
11245
43b43e7156b8
MUC: Add support for presence probes (fixes #1535)
JC Brand <jc@opkode.com>
parents:
10714
diff
changeset
|
9 |
|
10714
9ecad2304297
MUC: Switch hats to new presence APIs
Matthew Wild <mwild1@gmail.com>
parents:
10693
diff
changeset
|
10 module:hook("muc-build-occupant-presence", function (event) |
|
11245
43b43e7156b8
MUC: Add support for presence probes (fixes #1535)
JC Brand <jc@opkode.com>
parents:
10714
diff
changeset
|
11 local bare_jid = event.occupant and event.occupant.bare_jid or event.bare_jid; |
|
43b43e7156b8
MUC: Add support for presence probes (fixes #1535)
JC Brand <jc@opkode.com>
parents:
10714
diff
changeset
|
12 local aff_data = event.room:get_affiliation_data(bare_jid); |
|
10693
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local hats = aff_data and aff_data.hats; |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 if not hats then return; end |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local hats_el; |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 for hat_id, hat_data in pairs(hats) do |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 if hat_data.active then |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 if not hats_el then |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 hats_el = st.stanza("hats", { xmlns = xmlns_hats }); |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 end |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 hats_el:tag("hat", { uri = hat_id, title = hat_data.title }):up(); |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 end |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 end |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 if not hats_el then return; end |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 event.stanza:add_direct_child(hats_el); |
|
76bb806cdd4b
MUC: Add initial hats support (broadcast only)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 end); |
