Software / code / prosody
Annotate
core/xmlhandlers.lua @ 4287:ee6a18f10a8d
xmlhandlers/xmppstream: Stop the parser when encountering restricted XML, completing the fix for the billion laughs attack
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 02 Jun 2011 15:19:05 +0100 |
| parent | 4280:65e2c089d138 |
| child | 4288:8fde6b6b4919 |
| rev | line source |
|---|---|
|
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1414
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2261
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2261
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
355
diff
changeset
|
4 -- |
| 758 | 5 -- This project is MIT/X11 licensed. Please see the |
| 6 -- COPYING file in the source package for more information. | |
|
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
355
diff
changeset
|
7 -- |
|
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
355
diff
changeset
|
8 |
|
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
355
diff
changeset
|
9 |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
10 |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
11 require "util.stanza" |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
12 |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
13 local st = stanza; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
14 local tostring = tostring; |
| 148 | 15 local pairs = pairs; |
| 16 local ipairs = ipairs; | |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
17 local t_insert = table.insert; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
18 local t_concat = table.concat; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
19 |
| 145 | 20 local default_log = require "util.logger".init("xmlhandlers"); |
| 21 | |
|
4276
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
22 -- COMPAT: w/LuaExpat 1.1.0 |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
23 local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false }); |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
24 |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
25 if not lxp_supports_doctype then |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
26 default_log("warn", "The version of LuaExpat on your system leaves Prosody " |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
27 .."vulnerable to denial-of-service attacks. You should upgrade to " |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
28 .."LuaExpat 1.1.1 or higher as soon as possible. See " |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
29 .."http://prosody.im/doc/depends#luaexpat for more information."); |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
30 end |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
31 |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
32 local error = error; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
33 |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
34 module "xmlhandlers" |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
35 |
| 148 | 36 local ns_prefixes = { |
| 37 ["http://www.w3.org/XML/1998/namespace"] = "xml"; | |
| 38 } | |
| 39 | |
| 331 | 40 function init_xmlhandlers(session, stream_callbacks) |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
41 local ns_stack = { "" }; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
42 local curr_tag; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
43 local chardata = {}; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
44 local xml_handlers = {}; |
| 145 | 45 local log = session.log or default_log; |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
46 |
| 331 | 47 local cb_streamopened = stream_callbacks.streamopened; |
| 48 local cb_streamclosed = stream_callbacks.streamclosed; | |
|
557
c9b3ffb08fe3
Disconnect with stream errors on bad XML, or invalid stream namespace
Matthew Wild <mwild1@gmail.com>
parents:
545
diff
changeset
|
49 local cb_error = stream_callbacks.error or function (session, e) error("XML stream error: "..tostring(e)); end; |
|
545
60002993be04
Abstract xmlhandlers a bit more, also add error callbacks
Matthew Wild <mwild1@gmail.com>
parents:
519
diff
changeset
|
50 local cb_handlestanza = stream_callbacks.handlestanza; |
| 331 | 51 |
|
625
cad4dcfbf295
Change xmlhandlers to match stream opening tag with ns+tag
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
52 local stream_tag = stream_callbacks.stream_tag; |
|
899
b95368f199a1
core.xmlhandlers: Filter out default stream namespace from stanzas
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
53 local stream_default_ns = stream_callbacks.default_ns; |
|
557
c9b3ffb08fe3
Disconnect with stream errors on bad XML, or invalid stream namespace
Matthew Wild <mwild1@gmail.com>
parents:
545
diff
changeset
|
54 |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
55 local stanza |
|
625
cad4dcfbf295
Change xmlhandlers to match stream opening tag with ns+tag
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
56 function xml_handlers:StartElement(tagname, attr) |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
57 if stanza and #chardata > 0 then |
|
31
aaccbf07849b
Remove now useless debug output
Matthew Wild <mwild1@gmail.com>
parents:
20
diff
changeset
|
58 -- We have some character data in the buffer |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
59 stanza:text(t_concat(chardata)); |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
60 chardata = {}; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
61 end |
|
2077
e33658f6052c
Changed separator between attribute names and prefixes from '|' to '\1' (optimization and cleanup).
Waqas Hussain <waqas20@gmail.com>
parents:
2037
diff
changeset
|
62 local curr_ns,name = tagname:match("^([^\1]*)\1?(.*)$"); |
|
2261
13d55c66bf81
core.xmlhandlers: Fixed processing of empty namespaces (which caused an issue with jwchat).
Waqas Hussain <waqas20@gmail.com>
parents:
2077
diff
changeset
|
63 if name == "" then |
|
1051
0327c569eb1a
xmlhandlers: Fix tag pattern again for the default namespace
Matthew Wild <mwild1@gmail.com>
parents:
1003
diff
changeset
|
64 curr_ns, name = "", curr_ns; |
|
0327c569eb1a
xmlhandlers: Fix tag pattern again for the default namespace
Matthew Wild <mwild1@gmail.com>
parents:
1003
diff
changeset
|
65 end |
|
0327c569eb1a
xmlhandlers: Fix tag pattern again for the default namespace
Matthew Wild <mwild1@gmail.com>
parents:
1003
diff
changeset
|
66 |
|
899
b95368f199a1
core.xmlhandlers: Filter out default stream namespace from stanzas
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
67 if curr_ns ~= stream_default_ns then |
| 148 | 68 attr.xmlns = curr_ns; |
| 69 end | |
| 70 | |
| 71 -- FIXME !!!!! | |
|
1414
6f653b8beac9
xmlhandlers: Remove numeric attributes
Waqas Hussain <waqas20@gmail.com>
parents:
1155
diff
changeset
|
72 for i=1,#attr do |
|
6f653b8beac9
xmlhandlers: Remove numeric attributes
Waqas Hussain <waqas20@gmail.com>
parents:
1155
diff
changeset
|
73 local k = attr[i]; |
|
6f653b8beac9
xmlhandlers: Remove numeric attributes
Waqas Hussain <waqas20@gmail.com>
parents:
1155
diff
changeset
|
74 attr[i] = nil; |
|
2077
e33658f6052c
Changed separator between attribute names and prefixes from '|' to '\1' (optimization and cleanup).
Waqas Hussain <waqas20@gmail.com>
parents:
2037
diff
changeset
|
75 local ns, nm = k:match("^([^\1]*)\1?(.*)$"); |
|
2261
13d55c66bf81
core.xmlhandlers: Fixed processing of empty namespaces (which caused an issue with jwchat).
Waqas Hussain <waqas20@gmail.com>
parents:
2077
diff
changeset
|
76 if nm ~= "" then |
|
1154
570c0427fcb8
xmlhandlers: Removed an unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1153
diff
changeset
|
77 ns = ns_prefixes[ns]; |
|
570c0427fcb8
xmlhandlers: Removed an unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1153
diff
changeset
|
78 if ns then |
|
570c0427fcb8
xmlhandlers: Removed an unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1153
diff
changeset
|
79 attr[ns..":"..nm] = attr[k]; |
|
570c0427fcb8
xmlhandlers: Removed an unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1153
diff
changeset
|
80 attr[k] = nil; |
| 148 | 81 end |
| 82 end | |
| 83 end | |
| 145 | 84 |
| 85 if not stanza then --if we are not currently inside a stanza | |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
86 if session.notopen then |
|
625
cad4dcfbf295
Change xmlhandlers to match stream opening tag with ns+tag
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
87 if tagname == stream_tag then |
|
341
a9e02b5c58d2
Don't error if streamopened/streamclosed callback is not specified for a session
Matthew Wild <mwild1@gmail.com>
parents:
334
diff
changeset
|
88 if cb_streamopened then |
|
a9e02b5c58d2
Don't error if streamopened/streamclosed callback is not specified for a session
Matthew Wild <mwild1@gmail.com>
parents:
334
diff
changeset
|
89 cb_streamopened(session, attr); |
|
a9e02b5c58d2
Don't error if streamopened/streamclosed callback is not specified for a session
Matthew Wild <mwild1@gmail.com>
parents:
334
diff
changeset
|
90 end |
|
545
60002993be04
Abstract xmlhandlers a bit more, also add error callbacks
Matthew Wild <mwild1@gmail.com>
parents:
519
diff
changeset
|
91 else |
|
60002993be04
Abstract xmlhandlers a bit more, also add error callbacks
Matthew Wild <mwild1@gmail.com>
parents:
519
diff
changeset
|
92 -- Garbage before stream? |
|
557
c9b3ffb08fe3
Disconnect with stream errors on bad XML, or invalid stream namespace
Matthew Wild <mwild1@gmail.com>
parents:
545
diff
changeset
|
93 cb_error(session, "no-stream"); |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
94 end |
|
545
60002993be04
Abstract xmlhandlers a bit more, also add error callbacks
Matthew Wild <mwild1@gmail.com>
parents:
519
diff
changeset
|
95 return; |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
96 end |
| 38 | 97 if curr_ns == "jabber:client" and name ~= "iq" and name ~= "presence" and name ~= "message" then |
|
557
c9b3ffb08fe3
Disconnect with stream errors on bad XML, or invalid stream namespace
Matthew Wild <mwild1@gmail.com>
parents:
545
diff
changeset
|
98 cb_error(session, "invalid-top-level-element"); |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
99 end |
| 145 | 100 |
| 331 | 101 stanza = st.stanza(name, attr); |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
102 curr_tag = stanza; |
| 145 | 103 else -- we are inside a stanza, so add a tag |
| 148 | 104 attr.xmlns = nil; |
|
899
b95368f199a1
core.xmlhandlers: Filter out default stream namespace from stanzas
Matthew Wild <mwild1@gmail.com>
parents:
896
diff
changeset
|
105 if curr_ns ~= stream_default_ns then |
| 148 | 106 attr.xmlns = curr_ns; |
| 107 end | |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
108 stanza:tag(name, attr); |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
109 end |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
110 end |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
111 function xml_handlers:CharacterData(data) |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
112 if stanza then |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
113 t_insert(chardata, data); |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
114 end |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
115 end |
|
625
cad4dcfbf295
Change xmlhandlers to match stream opening tag with ns+tag
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
116 function xml_handlers:EndElement(tagname) |
|
2077
e33658f6052c
Changed separator between attribute names and prefixes from '|' to '\1' (optimization and cleanup).
Waqas Hussain <waqas20@gmail.com>
parents:
2037
diff
changeset
|
117 local curr_ns,name = tagname:match("^([^\1]*)\1?(.*)$"); |
|
2261
13d55c66bf81
core.xmlhandlers: Fixed processing of empty namespaces (which caused an issue with jwchat).
Waqas Hussain <waqas20@gmail.com>
parents:
2077
diff
changeset
|
118 if name == "" then |
|
1051
0327c569eb1a
xmlhandlers: Fix tag pattern again for the default namespace
Matthew Wild <mwild1@gmail.com>
parents:
1003
diff
changeset
|
119 curr_ns, name = "", curr_ns; |
|
0327c569eb1a
xmlhandlers: Fix tag pattern again for the default namespace
Matthew Wild <mwild1@gmail.com>
parents:
1003
diff
changeset
|
120 end |
|
334
bffd80e8c7a3
*ahem* Yes, move along please... though really, quite a classic. :)
Matthew Wild <mwild1@gmail.com>
parents:
331
diff
changeset
|
121 if (not stanza) or (#stanza.last_add > 0 and name ~= stanza.last_add[#stanza.last_add].name) then |
|
625
cad4dcfbf295
Change xmlhandlers to match stream opening tag with ns+tag
Matthew Wild <mwild1@gmail.com>
parents:
615
diff
changeset
|
122 if tagname == stream_tag then |
|
341
a9e02b5c58d2
Don't error if streamopened/streamclosed callback is not specified for a session
Matthew Wild <mwild1@gmail.com>
parents:
334
diff
changeset
|
123 if cb_streamclosed then |
|
a9e02b5c58d2
Don't error if streamopened/streamclosed callback is not specified for a session
Matthew Wild <mwild1@gmail.com>
parents:
334
diff
changeset
|
124 cb_streamclosed(session); |
|
a9e02b5c58d2
Don't error if streamopened/streamclosed callback is not specified for a session
Matthew Wild <mwild1@gmail.com>
parents:
334
diff
changeset
|
125 end |
| 145 | 126 elseif name == "error" then |
|
557
c9b3ffb08fe3
Disconnect with stream errors on bad XML, or invalid stream namespace
Matthew Wild <mwild1@gmail.com>
parents:
545
diff
changeset
|
127 cb_error(session, "stream-error", stanza); |
|
53
14ea0fe6ca86
Session destruction fixes, some debugging code while we fix the rest. Also change logger to be more useful.
Matthew Wild <mwild1@gmail.com>
parents:
40
diff
changeset
|
128 else |
|
557
c9b3ffb08fe3
Disconnect with stream errors on bad XML, or invalid stream namespace
Matthew Wild <mwild1@gmail.com>
parents:
545
diff
changeset
|
129 cb_error(session, "parse-error", "unexpected-element-close", name); |
|
53
14ea0fe6ca86
Session destruction fixes, some debugging code while we fix the rest. Also change logger to be more useful.
Matthew Wild <mwild1@gmail.com>
parents:
40
diff
changeset
|
130 end |
|
2037
a919511c45ac
xmlhandlers: Reset state on error or stream close, fixes possible traceback
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
131 stanza, chardata = nil, {}; |
|
a919511c45ac
xmlhandlers: Reset state on error or stream close, fixes possible traceback
Matthew Wild <mwild1@gmail.com>
parents:
1523
diff
changeset
|
132 return; |
|
53
14ea0fe6ca86
Session destruction fixes, some debugging code while we fix the rest. Also change logger to be more useful.
Matthew Wild <mwild1@gmail.com>
parents:
40
diff
changeset
|
133 end |
|
1155
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
134 if #chardata > 0 then |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
135 -- We have some character data in the buffer |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
136 stanza:text(t_concat(chardata)); |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
137 chardata = {}; |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
138 end |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
139 -- Complete stanza |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
140 if #stanza.last_add == 0 then |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
141 cb_handlestanza(session, stanza); |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
142 stanza = nil; |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
143 else |
|
a93b25f1528e
xmlhandlers: Removed another unnecessary check
Waqas Hussain <waqas20@gmail.com>
parents:
1154
diff
changeset
|
144 stanza:up(); |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
145 end |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
146 end |
|
4276
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
147 |
|
4287
ee6a18f10a8d
xmlhandlers/xmppstream: Stop the parser when encountering restricted XML, completing the fix for the billion laughs attack
Matthew Wild <mwild1@gmail.com>
parents:
4280
diff
changeset
|
148 local function restricted_handler(parser) |
|
4276
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
149 cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1."); |
|
4287
ee6a18f10a8d
xmlhandlers/xmppstream: Stop the parser when encountering restricted XML, completing the fix for the billion laughs attack
Matthew Wild <mwild1@gmail.com>
parents:
4280
diff
changeset
|
150 if not parser:stop() then |
|
ee6a18f10a8d
xmlhandlers/xmppstream: Stop the parser when encountering restricted XML, completing the fix for the billion laughs attack
Matthew Wild <mwild1@gmail.com>
parents:
4280
diff
changeset
|
151 error("Failed to abort parsing"); |
|
ee6a18f10a8d
xmlhandlers/xmppstream: Stop the parser when encountering restricted XML, completing the fix for the billion laughs attack
Matthew Wild <mwild1@gmail.com>
parents:
4280
diff
changeset
|
152 end |
|
4276
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
153 end |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
154 |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
155 if lxp_supports_doctype then |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
156 xml_handlers.StartDoctypeDecl = restricted_handler; |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
157 end |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
158 xml_handlers.Comment = restricted_handler; |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
159 xml_handlers.ProcessingInstruction = restricted_handler; |
|
a37522bf6b1b
xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
160 |
|
1
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
161 return xml_handlers; |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
162 end |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
163 |
|
b8787e859fd2
Switched to new connection framework, courtesy of the luadch project
matthew
parents:
diff
changeset
|
164 return init_xmlhandlers; |
