Software `/` code `/` prosody

Annotate

util/hmac.lua @ 12180:53e0ae770917

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.

author	Jonas Schäfer <jonas@wielicki.name>
date	Mon, 10 Jan 2022 18:23:54 +0100
parent	9959:45caa32992b6
child	12561:adfb46a3e8a7

rev	line source
1522 569d58d21612 Add copyright header to those files missing one Matthew Wild <mwild1@gmail.com> parents: 1516 diff changeset	1 -- Prosody IM
2923 b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 1522 diff changeset	2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 1522 diff changeset	3 -- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5537 diff changeset	4 --
1522 569d58d21612 Add copyright header to those files missing one Matthew Wild <mwild1@gmail.com> parents: 1516 diff changeset	5 -- This project is MIT/X11 licensed. Please see the
569d58d21612 Add copyright header to those files missing one Matthew Wild <mwild1@gmail.com> parents: 1516 diff changeset	6 -- COPYING file in the source package for more information.
569d58d21612 Add copyright header to those files missing one Matthew Wild <mwild1@gmail.com> parents: 1516 diff changeset	7 --
569d58d21612 Add copyright header to those files missing one Matthew Wild <mwild1@gmail.com> parents: 1516 diff changeset	8
5537 15464633d8fb util.hmac, util.hashes: Implement HMAC functions in C, and move to util.hashes Florian Zeitz <florob@babelmonkeys.de> parents: 3540 diff changeset	9 -- COMPAT: Only for external pre-0.9 modules
15464633d8fb util.hmac, util.hashes: Implement HMAC functions in C, and move to util.hashes Florian Zeitz <florob@babelmonkeys.de> parents: 3540 diff changeset	10
1456 3135cf40110d Added HMAC utility module Dwayne Bent <dbb.0@liqd.org> parents: diff changeset	11 local hashes = require "util.hashes"
3135cf40110d Added HMAC utility module Dwayne Bent <dbb.0@liqd.org> parents: diff changeset	12
9958 d879f2253c2d util.hmac: Reflow code Kim Alvefur <zash@zash.se> parents: 5776 diff changeset	13 return {
d879f2253c2d util.hmac: Reflow code Kim Alvefur <zash@zash.se> parents: 5776 diff changeset	14 md5 = hashes.hmac_md5,
d879f2253c2d util.hmac: Reflow code Kim Alvefur <zash@zash.se> parents: 5776 diff changeset	15 sha1 = hashes.hmac_sha1,
d879f2253c2d util.hmac: Reflow code Kim Alvefur <zash@zash.se> parents: 5776 diff changeset	16 sha256 = hashes.hmac_sha256,
9959 45caa32992b6 util.hmac: Expose hmac-sha-512 too Kim Alvefur <zash@zash.se> parents: 9958 diff changeset	17 sha512 = hashes.hmac_sha512,
9958 d879f2253c2d util.hmac: Reflow code Kim Alvefur <zash@zash.se> parents: 5776 diff changeset	18 };

prosody

53e0ae770917

util/hmac.lua

Software / code / prosody

Annotate

util/hmac.lua @ 12180:53e0ae770917

Software `/` code `/` prosody