Software / code / prosody
Annotate
util/adhoc.lua @ 12180:53e0ae770917
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 11352:e10567199f02 |
| rev | line source |
|---|---|
|
8382
e5d00bf4a4d5
util: Various minor changes to please [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7912
diff
changeset
|
1 -- luacheck: ignore 212/self |
|
e5d00bf4a4d5
util: Various minor changes to please [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7912
diff
changeset
|
2 |
|
5513
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
3 local function new_simple_form(form, result_handler) |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
4 return function(self, data, state) |
|
10667
49312378ba1d
util.adhoc: Allow passing dataforms in initial command
Kim Alvefur <zash@zash.se>
parents:
8382
diff
changeset
|
5 if state or data.form then |
|
5513
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
6 if data.action == "cancel" then |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
7 return { status = "canceled" }; |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
8 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
9 local fields, err = form:data(data.form); |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
10 return result_handler(fields, err, data); |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
11 else |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
12 return { status = "executing", actions = {"next", "complete", default = "complete"}, form = form }, "executing"; |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
13 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
14 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
15 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
16 |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
17 local function new_initial_data_form(form, initial_data, result_handler) |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
18 return function(self, data, state) |
|
10667
49312378ba1d
util.adhoc: Allow passing dataforms in initial command
Kim Alvefur <zash@zash.se>
parents:
8382
diff
changeset
|
19 if state or data.form then |
|
5513
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
20 if data.action == "cancel" then |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
21 return { status = "canceled" }; |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
22 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
23 local fields, err = form:data(data.form); |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
24 return result_handler(fields, err, data); |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
25 else |
|
11352
e10567199f02
util.adhoc: Propagate error with producing initial initial data
Kim Alvefur <zash@zash.se>
parents:
10667
diff
changeset
|
26 local values, err = initial_data(data); |
|
e10567199f02
util.adhoc: Propagate error with producing initial initial data
Kim Alvefur <zash@zash.se>
parents:
10667
diff
changeset
|
27 if type(err) == "table" then |
|
e10567199f02
util.adhoc: Propagate error with producing initial initial data
Kim Alvefur <zash@zash.se>
parents:
10667
diff
changeset
|
28 return {status = "error"; error = err} |
|
e10567199f02
util.adhoc: Propagate error with producing initial initial data
Kim Alvefur <zash@zash.se>
parents:
10667
diff
changeset
|
29 elseif type(err) == "string" then |
|
e10567199f02
util.adhoc: Propagate error with producing initial initial data
Kim Alvefur <zash@zash.se>
parents:
10667
diff
changeset
|
30 return {status = "error"; error = {type = "cancel"; condition = "internal-server-error", err}} |
|
e10567199f02
util.adhoc: Propagate error with producing initial initial data
Kim Alvefur <zash@zash.se>
parents:
10667
diff
changeset
|
31 end |
|
5513
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
32 return { status = "executing", actions = {"next", "complete", default = "complete"}, |
|
11352
e10567199f02
util.adhoc: Propagate error with producing initial initial data
Kim Alvefur <zash@zash.se>
parents:
10667
diff
changeset
|
33 form = { layout = form, values = values } }, "executing"; |
|
5513
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
34 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
35 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
36 end |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
37 |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
38 return { new_simple_form = new_simple_form, |
|
755f705f126a
util.adhoc: New util for generating common adhoc handler patterns
Florian Zeitz <florob@babelmonkeys.de>
parents:
diff
changeset
|
39 new_initial_data_form = new_initial_data_form }; |
