Software / code / prosody
Annotate
util/session.lua @ 12180:53e0ae770917
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 10110:3fa3872588a8 |
| child | 12640:999b1c59af6f |
| rev | line source |
|---|---|
|
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
1 local initialize_filters = require "util.filters".initialize; |
|
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
2 local logger = require "util.logger"; |
| 6937 | 3 |
| 4 local function new_session(typ) | |
| 5 local session = { | |
| 6 type = typ .. "_unauthed"; | |
|
9947
8ebca1240203
util.session: Fix session id not include unauthed forever
Kim Alvefur <zash@zash.se>
parents:
7181
diff
changeset
|
7 base_type = typ; |
| 6937 | 8 }; |
| 9 return session; | |
| 10 end | |
| 11 | |
|
6938
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
12 local function set_id(session) |
|
9947
8ebca1240203
util.session: Fix session id not include unauthed forever
Kim Alvefur <zash@zash.se>
parents:
7181
diff
changeset
|
13 local id = session.base_type .. tostring(session):match("%x+$"):lower(); |
|
6938
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
14 session.id = id; |
|
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
15 return session; |
|
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
16 end |
|
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
17 |
|
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
18 local function set_logger(session) |
|
7181
8af558965da3
util.session: Fix luacheck warnings
Kim Alvefur <zash@zash.se>
parents:
6941
diff
changeset
|
19 local log = logger.init(session.id); |
|
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
20 session.log = log; |
|
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
21 return session; |
|
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
22 end |
|
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
23 |
|
6940
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
24 local function set_conn(session, conn) |
|
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
25 session.conn = conn; |
|
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
26 session.ip = conn:ip(); |
|
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
27 return session; |
|
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
28 end |
|
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
29 |
|
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
30 local function set_send(session) |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
31 local conn = session.conn; |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
32 if not conn then |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
33 function session.send(data) |
|
10110
3fa3872588a8
util.session: Remove tostring call from logging
Kim Alvefur <zash@zash.se>
parents:
9947
diff
changeset
|
34 session.log("debug", "Discarding data sent to unconnected session: %s", data); |
|
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
35 return false; |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
36 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
37 return session; |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
38 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
39 local filter = initialize_filters(session); |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
40 local w = conn.write; |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
41 session.send = function (t) |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
42 if t.name then |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
43 t = filter("stanzas/out", t); |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
44 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
45 if t then |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
46 t = filter("bytes/out", tostring(t)); |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
47 if t then |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
48 local ret, err = w(conn, t); |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
49 if not ret then |
|
10110
3fa3872588a8
util.session: Remove tostring call from logging
Kim Alvefur <zash@zash.se>
parents:
9947
diff
changeset
|
50 session.log("debug", "Error writing to connection: %s", err); |
|
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
51 return false, err; |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
52 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
53 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
54 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
55 return true; |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
56 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
57 return session; |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
58 end |
|
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
59 |
| 6937 | 60 return { |
| 61 new = new_session; | |
|
6938
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
62 set_id = set_id; |
|
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
63 set_logger = set_logger; |
|
6940
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
64 set_conn = set_conn; |
|
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
65 set_send = set_send; |
| 6937 | 66 } |
