Software / code / prosody
Annotate
plugins/mod_muc_unique.lua @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 8878:7c3e16fdaf1d |
| child | 12977:74b9e05af71e |
| rev | line source |
|---|---|
|
6091
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
1 -- XEP-0307: Unique Room Names for Multi-User Chat |
|
6409
5fd6c739e9bf
plugins/mod_muc_unique: Fix undefined global access (thanks Lance)
Waqas Hussain <waqas20@gmail.com>
parents:
6091
diff
changeset
|
2 local st = require "util.stanza"; |
|
8878
7c3e16fdaf1d
mod_muc_unique: Use util.id for more compact identifiers
Kim Alvefur <zash@zash.se>
parents:
6409
diff
changeset
|
3 local unique_name = require "util.id".medium; |
|
6091
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
4 module:add_feature "http://jabber.org/protocol/muc#unique" |
|
6409
5fd6c739e9bf
plugins/mod_muc_unique: Fix undefined global access (thanks Lance)
Waqas Hussain <waqas20@gmail.com>
parents:
6091
diff
changeset
|
5 module:hook("iq-get/host/http://jabber.org/protocol/muc#unique:unique", function(event) |
|
6091
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
6 local origin, stanza = event.origin, event.stanza; |
|
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
7 origin.send(st.reply(stanza) |
|
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
8 :tag("unique", {xmlns = "http://jabber.org/protocol/muc#unique"}) |
|
8878
7c3e16fdaf1d
mod_muc_unique: Use util.id for more compact identifiers
Kim Alvefur <zash@zash.se>
parents:
6409
diff
changeset
|
9 :text(unique_name():lower()) |
|
6091
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
10 ); |
|
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
11 return true; |
|
3a1c39b31497
plugins/muc/mod_muc: Move Xep-0307 MUC unique to seperate file
daurnimator <quae@daurnimator.com>
parents:
diff
changeset
|
12 end,-1); |
