Diff

plugins/mod_pubsub/pubsub.lib.lua @ 8324:58d228da618f

mod_pubsub: Limit number of items to fetch from archive storage to pubsub#max_items to prevent unbounded query (thanks Martin and lovetox)
author Kim Alvefur <zash@zash.se>
date Sun, 15 Oct 2017 18:59:37 +0200
parent 8323:f2c1d65f706b
child 8325:9a845e9e9cbf
line wrap: on
line diff
--- a/plugins/mod_pubsub/pubsub.lib.lua	Sun Oct 15 11:54:24 2017 +0200
+++ b/plugins/mod_pubsub/pubsub.lib.lua	Sun Oct 15 18:59:37 2017 +0200
@@ -2,6 +2,7 @@
 local time_now = os.time;
 
 local st = require "util.stanza";
+local ti = require "util.iterators";
 local uuid_generate = require "util.uuid".generate;
 local dataform = require"util.dataforms".new;
 
@@ -340,20 +341,23 @@
 	module:log("debug", "Creation of itemstore for node %s with config %s", node, config);
 	local get_set = {};
 	function get_set:items() -- luacheck: ignore 212/self
-		local data, err = archive:find(user);
+		local data, err = archive:find(user, {
+			limit = tonumber(config["pubsub#max_items"]);
+			reverse = true;
+		});
 		if not data then
 			module:log("error", "Unable to get items: %s", err);
 			return true;
 		end
 		module:log("debug", "Listed items %s", data);
-		return function()
+		return it.reverse(function()
 			local id, payload, when, publisher = data();
 			if id == nil then
 				return;
 			end
 			local item = create_encapsulating_item(id, payload, publisher, expose_publisher);
 			return id, item;
-		end;
+		end);
 	end
 	function get_set:get(key) -- luacheck: ignore 212/self
 		local data, err = archive:find(user, {