Software / code / prosody
Annotate
plugins/muc/moderated.lib.lua @ 12180:53e0ae770917
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 9035:173c0e16e704 |
| rev | line source |
|---|---|
|
6226
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
1 -- Prosody IM |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
4 -- Copyright (C) 2014 Daurnimator |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
5 -- |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
6 -- This project is MIT/X11 licensed. Please see the |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
7 -- COPYING file in the source package for more information. |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
8 -- |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
9 |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
10 local function get_moderated(room) |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
11 return room._data.moderated; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
12 end |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
13 |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
14 local function set_moderated(room, moderated) |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
15 moderated = moderated and true or nil; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
16 if get_moderated(room) == moderated then return false; end |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
17 room._data.moderated = moderated; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
18 return true; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
19 end |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
20 |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
21 module:hook("muc-disco#info", function(event) |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
22 event.reply:tag("feature", {var = get_moderated(event.room) and "muc_moderated" or "muc_unmoderated"}):up(); |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
23 end); |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
24 |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
25 module:hook("muc-config-form", function(event) |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
26 table.insert(event.form, { |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
27 name = "muc#roomconfig_moderatedroom"; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
28 type = "boolean"; |
|
9034
1c709e3d2e5e
MUC: Improve labels of all config form items
Matthew Wild <mwild1@gmail.com>
parents:
8865
diff
changeset
|
29 label = "Moderated (require permission to speak)"; |
|
1c709e3d2e5e
MUC: Improve labels of all config form items
Matthew Wild <mwild1@gmail.com>
parents:
8865
diff
changeset
|
30 desc = "In moderated rooms occupants must be given permission to speak by a room moderator"; |
|
6226
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
31 value = get_moderated(event.room); |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
32 }); |
|
9035
173c0e16e704
MUC: Add sections in room config form
Matthew Wild <mwild1@gmail.com>
parents:
9034
diff
changeset
|
33 end, 80-3); |
|
6226
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
34 |
|
6991
84e01dbb739e
MUC: Update all config form handlers to take advantage of the new per-option events
Matthew Wild <mwild1@gmail.com>
parents:
6226
diff
changeset
|
35 module:hook("muc-config-submitted/muc#roomconfig_moderatedroom", function(event) |
|
84e01dbb739e
MUC: Update all config form handlers to take advantage of the new per-option events
Matthew Wild <mwild1@gmail.com>
parents:
6226
diff
changeset
|
36 if set_moderated(event.room, event.value) then |
|
6226
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
37 event.status_codes["104"] = true; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
38 end |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
39 end); |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
40 |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
41 module:hook("muc-get-default-role", function(event) |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
42 if event.affiliation == nil then |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
43 if get_moderated(event.room) then |
|
9034
1c709e3d2e5e
MUC: Improve labels of all config form items
Matthew Wild <mwild1@gmail.com>
parents:
8865
diff
changeset
|
44 -- XEP-0045: |
|
1c709e3d2e5e
MUC: Improve labels of all config form items
Matthew Wild <mwild1@gmail.com>
parents:
8865
diff
changeset
|
45 -- An implementation MAY grant voice by default to visitors in unmoderated rooms. |
|
6226
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
46 return "visitor" |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
47 end |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
48 end |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
49 end, 1); |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
50 |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
51 return { |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
52 get = get_moderated; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
53 set = set_moderated; |
|
7582deb85812
plugins/muc: Move 'moderated' code to seperate file; changes default "muc-get-default-role" behaviour
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
54 }; |
