Software `/` code `/` prosody

Annotate

util/http.lua @ 12180:53e0ae770917

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.

author	Jonas Schäfer <jonas@wielicki.name>
date	Mon, 10 Jan 2022 18:23:54 +0100
parent	9785:ff88b03c343f
child	13124:f15e23840780

rev	line source
5299 cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	1 -- Prosody IM
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	2 -- Copyright (C) 2013 Florian Zeitz
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	3 --
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	4 -- This project is MIT/X11 licensed. Please see the
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	5 -- COPYING file in the source package for more information.
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	6 --
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	7
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	8 local format, char = string.format, string.char;
9759 1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	9 local pairs, ipairs = pairs, ipairs;
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	10 local t_insert, t_concat = table.insert, table.concat;
5299 cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	11
9759 1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	12 local url_codes = {};
1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	13 for i = 0, 255 do
1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	14 local c = char(i);
1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	15 local u = format("%%%02x", i);
1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	16 url_codes[c] = u;
1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	17 url_codes[u] = c;
9785 ff88b03c343f util.http: Fix decoding of uppercase URL encoded chars Kim Alvefur <zash@zash.se> parents: 9759 diff changeset	18 url_codes[u:upper()] = c;
9759 1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	19 end
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	20 local function urlencode(s)
9759 1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	21 return s and (s:gsub("[^a-zA-Z0-9.~_-]", url_codes));
5458 84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	22 end
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	23 local function urldecode(s)
9759 1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	24 return s and (s:gsub("%%%x%x", url_codes));
5458 84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	25 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	26
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	27 local function _formencodepart(s)
9759 1af5106a2c34 util.http: Pre-generate urlencoding mappings (optimization) Kim Alvefur <zash@zash.se> parents: 9504 diff changeset	28 return s and (urlencode(s):gsub("%%20", "+"));
5458 84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	29 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	30
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	31 local function formencode(form)
5458 84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	32 local result = {};
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	33 if form[1] then -- Array of ordered { name, value }
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	34 for _, field in ipairs(form) do
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	35 t_insert(result, _formencodepart(field.name).."=".._formencodepart(field.value));
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	36 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	37 else -- Unordered map of name -> value
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	38 for name, value in pairs(form) do
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	39 t_insert(result, _formencodepart(name).."=".._formencodepart(value));
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	40 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	41 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	42 return t_concat(result, "&");
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	43 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	44
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	45 local function formdecode(s)
5458 84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	46 if not s:match("=") then return urldecode(s); end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	47 local r = {};
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	48 for k, v in s:gmatch("([^=&])=([^&])") do
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	49 k, v = k:gsub("%+", "%%20"), v:gsub("%+", "%%20");
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	50 k, v = urldecode(k), urldecode(v);
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	51 t_insert(r, { name = k, value = v });
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	52 r[k] = v;
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	53 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	54 return r;
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	55 end
84162b81c863 net.http, util.http: Move definitions of urlencode/decode and formencode/decode to util.http (possible to use them without unnecessary network-related dependencies) Matthew Wild <mwild1@gmail.com> parents: 5299 diff changeset	56
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	57 local function contains_token(field, token)
5299 cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	58 field = ","..field:gsub("[ \t]", ""):lower()..",";
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	59 return field:find(","..token:lower()..",", 1, true) ~= nil;
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	60 end
cc9d460aa779 util.http: New module for HTTP helper functions Florian Zeitz <florob@babelmonkeys.de> parents: diff changeset	61
9504 cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	62 local function normalize_path(path, is_dir)
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	63 if is_dir then
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	64 if path:sub(-1,-1) ~= "/" then path = path.."/"; end
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	65 else
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	66 if path:sub(-1,-1) == "/" then path = path:sub(1, -2); end
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	67 end
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	68 if path:sub(1,1) ~= "/" then path = "/"..path; end
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	69 return path;
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	70 end
cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	71
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	72 return {
34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	73 urlencode = urlencode, urldecode = urldecode;
34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	74 formencode = formencode, formdecode = formdecode;
34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	75 contains_token = contains_token;
9504 cfbea3064aa9 mod_http: Move normalize_path to util.http Kim Alvefur <zash@zash.se> parents: 5471 diff changeset	76 normalize_path = normalize_path;
5471 34bfd26525f5 util.http: Refactor and import all necessary functions Matthew Wild <mwild1@gmail.com> parents: 5458 diff changeset	77 };

prosody

53e0ae770917

util/http.lua

Software / code / prosody

Annotate

util/http.lua @ 12180:53e0ae770917

Software `/` code `/` prosody