Software / code / prosody
Annotate
util/uuid.lua @ 12180:53e0ae770917
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 7078:ec17115e3721 |
| child | 12355:a0ff5c438e9d |
| rev | line source |
|---|---|
|
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1304
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
2957
diff
changeset
|
4 -- |
| 758 | 5 -- This project is MIT/X11 licensed. Please see the |
| 6 -- COPYING file in the source package for more information. | |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
145
diff
changeset
|
7 -- |
|
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
145
diff
changeset
|
8 |
|
6377
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
9 local random = require "util.random"; |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
10 local random_bytes = random.bytes; |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
11 local hex = require "util.hex".to; |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
12 local m_ceil = math.ceil; |
|
44
80d2ade0fd69
Add "uuid" library and make sessionmanager use this.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
|
1303
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
14 local function get_nibbles(n) |
|
6377
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
15 return hex(random_bytes(m_ceil(n/2))):sub(1, n); |
|
1303
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
16 end |
|
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
17 |
|
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
18 local function get_twobits() |
|
7049
0eee56075901
util.uuid: Take random byte directly instead of the low bits from the ascii value of a hex nibble
Kim Alvefur <zash@zash.se>
parents:
7012
diff
changeset
|
19 return ("%x"):format(random_bytes(1):byte() % 4 + 8); |
|
1303
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
20 end |
|
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
21 |
|
6377
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
22 local function generate() |
|
1303
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
23 -- generate RFC 4122 complaint UUIDs (version 4 - random) |
|
2170e2c0d57a
util.uuid: Now generates RFC 4122 complaint UUIDs (version 4 - random)
Waqas Hussain <waqas20@gmail.com>
parents:
1302
diff
changeset
|
24 return get_nibbles(8).."-"..get_nibbles(4).."-4"..get_nibbles(3).."-"..(get_twobits())..get_nibbles(3).."-"..get_nibbles(12); |
|
1302
4561c6d95339
util.uuid: More uniqueness!
Waqas Hussain <waqas20@gmail.com>
parents:
896
diff
changeset
|
25 end |
| 7057 | 26 |
|
6377
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
27 return { |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
28 get_nibbles=get_nibbles; |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
29 generate = generate ; |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
30 -- COMPAT |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
31 seed = random.seed; |
|
50e5aed4eeea
util.uuid: Use util.hex and util.random
Matthew Wild <mwild1@gmail.com>
parents:
5776
diff
changeset
|
32 }; |
