Software / code / prosody
Annotate
doc/storage.tld @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 7744:4d9186d990a5 |
| child | 9903:2c5546cc5c70 |
| rev | line source |
|---|---|
|
7744
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- Storage Interface API Description |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- This is written as a TypedLua description |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- Key-Value stores (the default) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 interface keyval_store |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 get : ( self, string? ) -> (any) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 set : ( self, string?, any ) -> (boolean) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 end |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 -- Map stores (key-key-value stores) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 interface map_store |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 get : ( self, string?, any ) -> (any) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 set : ( self, string?, any, any ) -> (boolean) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 set_keys : ( self, string?, { any : any }) -> (boolean) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 remove : {} |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 end |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 -- Archive stores |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 typealias archive_query = { |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 "start" : number?, -- timestamp |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 "end" : number?, -- timestamp |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 "with" : string?, |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 "after" : string?, -- archive id |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 "before" : string?, -- archive id |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 "total" : boolean?, |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 } |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 interface archive_store |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 -- Optional set of capabilities |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 caps : { |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 -- Optional total count of matching items returned as second return value from :find() |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 "total" : boolean?, |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 }? |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 -- Add to the archive |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 append : ( self, string?, string?, any, number?, string? ) -> (string) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 -- Iterate over archive |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 find : ( self, string?, archive_query? ) -> ( () -> ( string, any, number?, string? ), integer? ) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 -- Removal of items. API like find. Optional? |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 delete : ( self, string?, archive_query? ) -> (boolean) | (number) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 -- Array of dates which do have messages (Optional?) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 dates : ( self, string? ) -> ({ string }) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 end |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 -- This represents moduleapi |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 interface module |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 -- If the first string is omitted then the name of the module is used |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 -- The second string is one of "keyval" (default), "map" or "archive" |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 open_store : (self, string?, string?) -> (keyval_store) | (map_store) | (archive_store) | (nil, string) |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 -- Other module methods omitted |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 end |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
|
4d9186d990a5
doc: Add a description of the Storage API in TypedLua format
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 module : module |
