Software / code / prosody
Annotate
util/caps.lua @ 12180:53e0ae770917
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 8555:4f0f5b49bb03 |
| child | 12975:d10957394a3c |
| rev | line source |
|---|---|
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 -- Prosody IM |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
3342
diff
changeset
|
4 -- |
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 -- |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local base64 = require "util.encodings".base64.encode; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local sha1 = require "util.hashes".sha1; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 local t_insert, t_sort, t_concat = table.insert, table.sort, table.concat; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local ipairs = ipairs; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
15 local _ENV = nil; |
|
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
16 -- luacheck: std none |
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
18 local function calculate_hash(disco_info) |
|
3342
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 local identities, features, extensions = {}, {}, {}; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 for _, tag in ipairs(disco_info) do |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 if tag.name == "identity" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 t_insert(identities, (tag.attr.category or "").."\0"..(tag.attr.type or "").."\0"..(tag.attr["xml:lang"] or "").."\0"..(tag.attr.name or "")); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 elseif tag.name == "feature" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 t_insert(features, tag.attr.var or ""); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 elseif tag.name == "x" and tag.attr.xmlns == "jabber:x:data" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 local form = {}; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 local FORM_TYPE; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 for _, field in ipairs(tag.tags) do |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 if field.name == "field" and field.attr.var then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 local values = {}; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 for _, val in ipairs(field.tags) do |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 val = #val.tags == 0 and val:get_text(); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 if val then t_insert(values, val); end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 t_sort(values); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 if field.attr.var == "FORM_TYPE" then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 FORM_TYPE = values[1]; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 elseif #values > 0 then |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 t_insert(form, field.attr.var.."\0"..t_concat(values, "<")); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 else |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 t_insert(form, field.attr.var); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 t_sort(form); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 form = t_concat(form, "<"); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 if FORM_TYPE then form = FORM_TYPE.."\0"..form; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 t_insert(extensions, form); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 t_sort(identities); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 t_sort(features); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 t_sort(extensions); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 if #identities > 0 then identities = t_concat(identities, "<"):gsub("%z", "/").."<"; else identities = ""; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 if #features > 0 then features = t_concat(features, "<").."<"; else features = ""; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 if #extensions > 0 then extensions = t_concat(extensions, "<"):gsub("%z", "<").."<"; else extensions = ""; end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 local S = identities..features..extensions; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 local ver = base64(sha1(S)); |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 return ver, S; |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 end |
|
20e99763a08a
util.caps: Entity capabilities hash generation (moved from mod_pep)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
62 return { |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
63 calculate_hash = calculate_hash; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
64 }; |
