prosody
250855633092
plugins/mod_bosh.lua
Software / code / prosody
Comparison
plugins/mod_bosh.lua @ 7379:250855633092
mod_bosh: Validate that 'sid' and 'wait' have sane values (fixes #475, also see #343)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 19 Apr 2016 12:18:19 +0200 |
| parent | 7378:d15cfe8627ad |
| child | 7380:d24d88feed76 |
comparison
equal
deleted
inserted
replaced
| 7378:d15cfe8627ad | 7379:250855633092 |
|---|---|
| 242 log("debug", "BOSH body open (sid: %s)", sid or "<none>"); | 242 log("debug", "BOSH body open (sid: %s)", sid or "<none>"); |
| 243 if not sid then | 243 if not sid then |
| 244 -- New session request | 244 -- New session request |
| 245 context.notopen = nil; -- Signals that we accept this opening tag | 245 context.notopen = nil; -- Signals that we accept this opening tag |
| 246 | 246 |
| 247 -- TODO: Sanity checks here (rid, to, known host, etc.) | |
| 248 local to_host = nameprep(attr.to); | 247 local to_host = nameprep(attr.to); |
| 248 local rid = tonumber(attr.rid); | |
| 249 local wait = tonumber(attr.wait); | |
| 249 if not to_host then | 250 if not to_host then |
| 250 log("debug", "BOSH client tried to connect to invalid host: %s", tostring(attr.to)); | 251 log("debug", "BOSH client tried to connect to invalid host: %s", tostring(attr.to)); |
| 251 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", | 252 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", |
| 252 ["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" }); | 253 ["xmlns:stream"] = xmlns_streams, condition = "improper-addressing" }); |
| 253 response:send(tostring(close_reply)); | 254 response:send(tostring(close_reply)); |
| 258 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", | 259 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", |
| 259 ["xmlns:stream"] = xmlns_streams, condition = "host-unknown" }); | 260 ["xmlns:stream"] = xmlns_streams, condition = "host-unknown" }); |
| 260 response:send(tostring(close_reply)); | 261 response:send(tostring(close_reply)); |
| 261 return; | 262 return; |
| 262 end | 263 end |
| 264 if not rid or (not wait and attr.wait or wait < 0) then | |
| 265 log("debug", "BOSH client sent invalid rid or wait attributes: rid=%s, wait=%s", tostring(attr.rid), tostring(attr.wait)); | |
| 266 local close_reply = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate", | |
| 267 ["xmlns:stream"] = xmlns_streams, condition = "bad-request" }); | |
| 268 response:send(tostring(close_reply)); | |
| 269 return; | |
| 270 end | |
| 271 | |
| 272 rid = rid - 1; | |
| 273 wait = math_min(wait, bosh_max_wait); | |
| 263 | 274 |
| 264 -- New session | 275 -- New session |
| 265 sid = new_uuid(); | 276 sid = new_uuid(); |
| 266 local session = { | 277 local session = { |
| 267 type = "c2s_unauthed", conn = {}, sid = sid, rid = tonumber(attr.rid)-1, host = attr.to, | 278 type = "c2s_unauthed", conn = {}, sid = sid, rid = rid-1, host = attr.to, |
| 268 bosh_version = attr.ver, bosh_wait = math_min(attr.wait, bosh_max_wait), streamid = sid, | 279 bosh_version = attr.ver, bosh_wait = wait, streamid = sid, |
| 269 bosh_hold = BOSH_DEFAULT_HOLD, bosh_max_inactive = BOSH_DEFAULT_INACTIVITY, | 280 bosh_hold = BOSH_DEFAULT_HOLD, bosh_max_inactive = BOSH_DEFAULT_INACTIVITY, |
| 270 requests = { }, send_buffer = {}, reset_stream = bosh_reset_stream, | 281 requests = { }, send_buffer = {}, reset_stream = bosh_reset_stream, |
| 271 close = bosh_close_stream, dispatch_stanza = core_process_stanza, notopen = true, | 282 close = bosh_close_stream, dispatch_stanza = core_process_stanza, notopen = true, |
| 272 log = logger.init("bosh"..sid), secure = consider_bosh_secure or request.secure, | 283 log = logger.init("bosh"..sid), secure = consider_bosh_secure or request.secure, |
| 273 ip = get_ip_from_request(request); | 284 ip = get_ip_from_request(request); |
