Software / code / prosody
Annotate
plugins/mod_uptime.lua @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 9572:867e40b82409 |
| child | 10565:421b2f8369fd |
| rev | line source |
|---|---|
|
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1495
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2017
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2017
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
4345
diff
changeset
|
4 -- |
| 758 | 5 -- This project is MIT/X11 licensed. Please see the |
| 6 -- COPYING file in the source package for more information. | |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
7 -- |
|
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
438
diff
changeset
|
8 |
|
2016
5d47cfa4b2a0
mod_uptime: Removed unused variables.
Waqas Hussain <waqas20@gmail.com>
parents:
2015
diff
changeset
|
9 local st = require "util.stanza"; |
|
1494
bdfa5274e111
mod_uptime: Convert to unix line endings
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
10 |
|
1495
6c745a108e68
mod_uptime: Use time of server start rather than module load
Matthew Wild <mwild1@gmail.com>
parents:
1494
diff
changeset
|
11 local start_time = prosody.start_time; |
|
4345
f6d694b1cdb3
mod_uptime: Use module:hook_global()
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
12 module:hook_global("server-started", function() start_time = prosody.start_time end); |
|
1524
a89fec6d76d2
mod_uptime: Fix bad uptime if module is loaded at startup
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
13 |
|
3232
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
14 -- XEP-0012: Last activity |
|
1494
bdfa5274e111
mod_uptime: Convert to unix line endings
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
15 module:add_feature("jabber:iq:last"); |
|
bdfa5274e111
mod_uptime: Convert to unix line endings
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
16 |
|
9226
affd84be3fc3
mod_uptime: Simplify iq handling by hooking on iq-get/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
8962
diff
changeset
|
17 module:hook("iq-get/host/jabber:iq:last:query", function(event) |
|
2015
2140c994671e
mod_uptime: Updated to use events (which also fixes a few minor issues).
Waqas Hussain <waqas20@gmail.com>
parents:
1524
diff
changeset
|
18 local origin, stanza = event.origin, event.stanza; |
|
9226
affd84be3fc3
mod_uptime: Simplify iq handling by hooking on iq-get/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
8962
diff
changeset
|
19 origin.send(st.reply(stanza):tag("query", {xmlns = "jabber:iq:last", seconds = tostring(os.difftime(os.time(), start_time))})); |
|
affd84be3fc3
mod_uptime: Simplify iq handling by hooking on iq-get/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
8962
diff
changeset
|
20 return true; |
|
2015
2140c994671e
mod_uptime: Updated to use events (which also fixes a few minor issues).
Waqas Hussain <waqas20@gmail.com>
parents:
1524
diff
changeset
|
21 end); |
|
3232
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
22 |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
23 -- Ad-hoc command |
|
8962
6c06bd455bbf
mod_uptime: Depend on mod_adhoc
Kim Alvefur <zash@zash.se>
parents:
8344
diff
changeset
|
24 module:depends "adhoc"; |
|
3232
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
25 local adhoc_new = module:require "adhoc".new; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
26 |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
27 function uptime_text() |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
28 local t = os.time()-prosody.start_time; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
29 local seconds = t%60; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
30 t = (t - seconds)/60; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
31 local minutes = t%60; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
32 t = (t - minutes)/60; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
33 local hours = t%24; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
34 t = (t - hours)/24; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
35 local days = t; |
|
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3232
diff
changeset
|
36 return string.format("This server has been running for %d day%s, %d hour%s and %d minute%s (since %s)", |
|
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3232
diff
changeset
|
37 days, (days ~= 1 and "s") or "", hours, (hours ~= 1 and "s") or "", |
|
3232
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
38 minutes, (minutes ~= 1 and "s") or "", os.date("%c", prosody.start_time)); |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
39 end |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
40 |
|
8344
071c0523c4cb
mod_uptime: Remove unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
41 function uptime_command_handler () |
|
3232
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
42 return { info = uptime_text(), status = "completed" }; |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
43 end |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
44 |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
45 local descriptor = adhoc_new("Get uptime", "uptime", uptime_command_handler); |
|
c47bfd62701c
mod_uptime: Add ad-hoc command
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
46 |
|
9572
867e40b82409
mod_ping, mod_uptime: Use module:provides
Kim Alvefur <zash@zash.se>
parents:
9226
diff
changeset
|
47 module:provides("adhoc", descriptor); |
