Comparison

util.xmppstream: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning.

comparison

equal deleted inserted replaced

-:7f789266b741
+:7cc426988bcc
 local t_concat = table.concat;
 local t_remove = table.remove;
 local setmetatable = setmetatable;
 local default_log = require "util.logger".init("xmppstream");
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+if not lxp_supports_doctype then
+	default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+		.."vulnerable to denial-of-service attacks. You should upgrade to "
+		.."LuaExpat 1.1.1 or higher as soon as possible. See "
+		.."http://prosody.im/doc/depends#luaexpat for more information.");
+end
 local error = error;
 module "xmppstream"
 			end
 			stanza, chardata = nil, {};
 			stack = {};
 		end
 	end
+	local function restricted_handler()
+		cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+	end
+	if lxp_supports_doctype then
+		xml_handlers.StartDoctypeDecl = restricted_handler;
+	end
+	xml_handlers.Comment = restricted_handler;
+	xml_handlers.StartCdataSection = restricted_handler;
+	xml_handlers.ProcessingInstruction = restricted_handler;
 	local function reset()
 		stanza, chardata = nil, {};
 		stack = {};
 	end