Software `/` code `/` prosody

Comparison

core/xmlhandlers.lua @ 4276:a37522bf6b1b

xmlhandlers: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning. [Backport of 7cc426988bcc in trunk]

author	Matthew Wild <mwild1@gmail.com>
date	Wed, 01 Jun 2011 23:20:54 +0100
parent	2923:b7049746bd29
child	4277:683523db4fe8
child	4280:65e2c089d138

comparison

equal deleted inserted replaced

-:76f0d653b347
+:a37522bf6b1b
 local ipairs = ipairs;
 local t_insert = table.insert;
 local t_concat = table.concat;
 local default_log = require "util.logger".init("xmlhandlers");
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+if not lxp_supports_doctype then
+	default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+		.."vulnerable to denial-of-service attacks. You should upgrade to "
+		.."LuaExpat 1.1.1 or higher as soon as possible. See "
+		.."http://prosody.im/doc/depends#luaexpat for more information.");
+end
 local error = error;
 module "xmlhandlers"
 				stanza = nil;
 			else
 				stanza:up();
 			end
 		end
+		local function restricted_handler()
+			cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+		end
+		if lxp_supports_doctype then
+			xml_handlers.StartDoctypeDecl = restricted_handler;
+		end
+		xml_handlers.Comment = restricted_handler;
+		xml_handlers.StartCdataSection = restricted_handler;
+		xml_handlers.ProcessingInstruction = restricted_handler;
 	return xml_handlers;
 end
 return init_xmlhandlers;

prosody

a37522bf6b1b

core/xmlhandlers.lua

Software / code / prosody

Comparison

core/xmlhandlers.lua @ 4276:a37522bf6b1b

Software `/` code `/` prosody