prosody
9d1e21c23784
util/stanza.lua
Software / code / prosody
Comparison
util/stanza.lua @ 11205:9d1e21c23784 0.11
util.stanza: Reject ASCII control characters (fixes #1606)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 11 Nov 2020 16:00:41 +0100 |
| parent | 9674:6f97acc4583b |
| child | 11206:f051394762ff |
| child | 11261:be38ae8fdfa5 |
comparison
equal
deleted
inserted
replaced
| 11201:4ae1d485a9c6 | 11205:9d1e21c23784 |
|---|---|
| 43 -- luacheck: std none | 43 -- luacheck: std none |
| 44 | 44 |
| 45 local stanza_mt = { __name = "stanza" }; | 45 local stanza_mt = { __name = "stanza" }; |
| 46 stanza_mt.__index = stanza_mt; | 46 stanza_mt.__index = stanza_mt; |
| 47 | 47 |
| 48 local function valid_xml_cdata(str, attr) | |
| 49 return not s_find(str, attr and "[^\1\9\10\13\20-~\128-\247]" or "[^\9\10\13\20-~\128-\247]"); | |
| 50 end | |
| 51 | |
| 48 local function check_name(name, name_type) | 52 local function check_name(name, name_type) |
| 49 if type(name) ~= "string" then | 53 if type(name) ~= "string" then |
| 50 error("invalid "..name_type.." name: expected string, got "..type(name)); | 54 error("invalid "..name_type.." name: expected string, got "..type(name)); |
| 51 elseif #name == 0 then | 55 elseif #name == 0 then |
| 52 error("invalid "..name_type.." name: empty string"); | 56 error("invalid "..name_type.." name: empty string"); |
| 53 elseif s_find(name, "[<>& '\"]") then | 57 elseif s_find(name, "[<>& '\"]") then |
| 54 error("invalid "..name_type.." name: contains invalid characters"); | 58 error("invalid "..name_type.." name: contains invalid characters"); |
| 59 elseif not valid_xml_cdata(name, name_type == "attribute") then | |
| 60 error("invalid "..name_type.." name: contains control characters"); | |
| 55 elseif not valid_utf8(name) then | 61 elseif not valid_utf8(name) then |
| 56 error("invalid "..name_type.." name: contains invalid utf8"); | 62 error("invalid "..name_type.." name: contains invalid utf8"); |
| 57 end | 63 end |
| 58 end | 64 end |
| 59 | 65 |
| 60 local function check_text(text, text_type) | 66 local function check_text(text, text_type) |
| 61 if type(text) ~= "string" then | 67 if type(text) ~= "string" then |
| 62 error("invalid "..text_type.." value: expected string, got "..type(text)); | 68 error("invalid "..text_type.." value: expected string, got "..type(text)); |
| 63 elseif not valid_utf8(text) then | 69 elseif not valid_xml_cdata(text) then |
| 70 error("invalid "..text_type.." value: contains control characters"); | |
| 71 elseif not valid_utf8(text, false) then | |
| 64 error("invalid "..text_type.." value: contains invalid utf8"); | 72 error("invalid "..text_type.." value: contains invalid utf8"); |
| 65 end | 73 end |
| 66 end | 74 end |
| 67 | 75 |
| 68 local function check_attr(attr) | 76 local function check_attr(attr) |
