Software /
code /
prosody
File
tools/xep227toprosody.lua @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
author | Jonas Schäfer <jonas@wielicki.name> |
---|---|
date | Mon, 10 Jan 2022 18:23:54 +0100 |
parent | 6870:d5b416070f70 |
child | 11680:a3d3fb9d0d43 |
line wrap: on
line source
#!/usr/bin/env lua -- Prosody IM -- Copyright (C) 2008-2009 Matthew Wild -- Copyright (C) 2008-2009 Waqas Hussain -- Copyright (C) 2010 Stefan Gehn -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- -- FIXME: XEP-0227 supports XInclude but luaexpat does not -- -- XEP-227 elements and their current level of support: -- Hosts : supported -- Users : supported -- Rosters : supported, needs testing -- Offline Messages : supported, needs testing -- Private XML Storage : supported, needs testing -- vCards : supported, needs testing -- Privacy Lists: UNSUPPORTED -- http://xmpp.org/extensions/xep-0227.html#privacy-lists -- mod_privacy uses dm.load(username, host, "privacy"); and stores stanzas 1:1 -- Incoming Subscription Requests : supported package.path = package.path..";../?.lua"; package.cpath = package.cpath..";../?.so"; -- needed for util.pposix used in datamanager local my_name = arg[0]; if my_name:match("[/\\]") then package.path = package.path..";"..my_name:gsub("[^/\\]+$", "../?.lua"); package.cpath = package.cpath..";"..my_name:gsub("[^/\\]+$", "../?.so"); end -- ugly workaround for getting datamanager to work outside of prosody :( prosody = { }; prosody.platform = "unknown"; if os.getenv("WINDIR") then prosody.platform = "windows"; elseif package.config:sub(1,1) == "/" then prosody.platform = "posix"; end local lxp = require "lxp"; local st = require "util.stanza"; local xmppstream = require "util.xmppstream"; local new_xmpp_handlers = xmppstream.new_sax_handlers; local dm = require "util.datamanager" dm.set_data_path("data"); local ns_separator = xmppstream.ns_separator; local ns_pattern = xmppstream.ns_pattern; local xmlns_xep227 = "http://www.xmpp.org/extensions/xep-0227.html#ns"; ----------------------------------------------------------------------- function store_vcard(username, host, stanza) -- create or update vCard for username@host local ret, err = dm.store(username, host, "vcard", st.preserialize(stanza)); print("["..(err or "success").."] stored vCard: "..username.."@"..host); end function store_password(username, host, password) -- create or update account for username@host local ret, err = dm.store(username, host, "accounts", {password = password}); print("["..(err or "success").."] stored account: "..username.."@"..host.." = "..password); end function store_roster(username, host, roster_items) -- fetch current roster-table for username@host if he already has one local roster = dm.load(username, host, "roster") or {}; -- merge imported roster-items with loaded roster for item_tag in roster_items:childtags("item") do -- jid for this roster-item local item_jid = item_tag.attr.jid -- validate item stanzas if (item_jid ~= "") then -- prepare roster item -- TODO: is the subscription attribute optional? local item = {subscription = item_tag.attr.subscription, groups = {}}; -- optional: give roster item a real name if item_tag.attr.name then item.name = item_tag.attr.name; end -- optional: iterate over group stanzas inside item stanza for group_tag in item_tag:childtags("group") do local group_name = group_tag:get_text(); if (group_name ~= "") then item.groups[group_name] = true; else print("[error] invalid group stanza: "..group_tag:pretty_print()); end end -- store item in roster roster[item_jid] = item; print("[success] roster entry: " ..username.."@"..host.." - "..item_jid); else print("[error] invalid roster stanza: " ..item_tag:pretty_print()); end end -- store merged roster-table local ret, err = dm.store(username, host, "roster", roster); print("["..(err or "success").."] stored roster: " ..username.."@"..host); end function store_private(username, host, private_items) local private = dm.load(username, host, "private") or {}; for _, ch in ipairs(private_items.tags) do --print("private :"..ch:pretty_print()); private[ch.name..":"..ch.attr.xmlns] = st.preserialize(ch); print("[success] private item: " ..username.."@"..host.." - "..ch.name); end local ret, err = dm.store(username, host, "private", private); print("["..(err or "success").."] stored private: " ..username.."@"..host); end function store_offline_messages(username, host, offline_messages) -- TODO: maybe use list_load(), append and list_store() instead -- of constantly reopening the file with list_append()? for ch in offline_messages:childtags("message", "jabber:client") do --print("message :"..ch:pretty_print()); local ret, err = dm.list_append(username, host, "offline", st.preserialize(ch)); print("["..(err or "success").."] stored offline message: " ..username.."@"..host.." - "..ch.attr.from); end end function store_subscription_request(username, host, presence_stanza) local from_bare = presence_stanza.attr.from; -- fetch current roster-table for username@host if he already has one local roster = dm.load(username, host, "roster") or {}; local item = roster[from_bare]; if item and (item.subscription == "from" or item.subscription == "both") then return; -- already subscribed, do nothing end -- add to table of pending subscriptions if not roster.pending then roster.pending = {}; end roster.pending[from_bare] = true; -- store updated roster-table local ret, err = dm.store(username, host, "roster", roster); print("["..(err or "success").."] stored subscription request: " ..username.."@"..host.." - "..from_bare); end ----------------------------------------------------------------------- local curr_host = ""; local user_name = ""; local cb = { stream_tag = "user", stream_ns = xmlns_xep227, }; function cb.streamopened(session, attr) session.notopen = false; user_name = attr.name; store_password(user_name, curr_host, attr.password); end function cb.streamclosed(session) session.notopen = true; user_name = ""; end function cb.handlestanza(session, stanza) --print("Parsed stanza "..stanza.name.." xmlns: "..(stanza.attr.xmlns or "")); if (stanza.name == "vCard") and (stanza.attr.xmlns == "vcard-temp") then store_vcard(user_name, curr_host, stanza); elseif (stanza.name == "query") then if (stanza.attr.xmlns == "jabber:iq:roster") then store_roster(user_name, curr_host, stanza); elseif (stanza.attr.xmlns == "jabber:iq:private") then store_private(user_name, curr_host, stanza); end elseif (stanza.name == "offline-messages") then store_offline_messages(user_name, curr_host, stanza); elseif (stanza.name == "presence") and (stanza.attr.xmlns == "jabber:client") then store_subscription_request(user_name, curr_host, stanza); else print("UNHANDLED stanza "..stanza.name.." xmlns: "..(stanza.attr.xmlns or "")); end end local user_handlers = new_xmpp_handlers({ notopen = true }, cb); ----------------------------------------------------------------------- local lxp_handlers = { --count = 0 }; -- TODO: error handling for invalid opening elements if curr_host is empty function lxp_handlers.StartElement(parser, elementname, attributes) local curr_ns, name = elementname:match(ns_pattern); if name == "" then curr_ns, name = "", curr_ns; end --io.write("+ ", string.rep(" ", count), name, " (", curr_ns, ")", "\n") --count = count + 1; if curr_host ~= "" then -- forward to xmlhandlers user_handlers.StartElement(parser, elementname, attributes); elseif (curr_ns == xmlns_xep227) and (name == "host") then curr_host = attributes["jid"]; -- start of host element print("Begin parsing host "..curr_host); elseif (curr_ns ~= xmlns_xep227) or (name ~= "server-data") then io.stderr:write("Unhandled XML element: ", name, "\n"); os.exit(1); end end -- TODO: error handling for invalid closing elements if host is empty function lxp_handlers.EndElement(parser, elementname) local curr_ns, name = elementname:match(ns_pattern); if name == "" then curr_ns, name = "", curr_ns; end --count = count - 1; --io.write("- ", string.rep(" ", count), name, " (", curr_ns, ")", "\n") if curr_host ~= "" then if (curr_ns == xmlns_xep227) and (name == "host") then print("End parsing host "..curr_host); curr_host = "" -- end of host element else -- forward to xmlhandlers user_handlers.EndElement(parser, elementname); end elseif (curr_ns ~= xmlns_xep227) or (name ~= "server-data") then io.stderr:write("Unhandled XML element: ", name, "\n"); os.exit(1); end end function lxp_handlers.CharacterData(parser, string) if curr_host ~= "" then -- forward to xmlhandlers user_handlers.CharacterData(parser, string); end end ----------------------------------------------------------------------- local arg = ...; local help = "/? -? ? /h -h /help -help --help"; if not arg or help:find(arg, 1, true) then print([[XEP-227 importer for Prosody Usage: xep227toprosody.lua filename.xml ]]); os.exit(1); end local file = io.open(arg); if not file then io.stderr:write("Could not open file: ", arg, "\n"); os.exit(0); end local parser = lxp.new(lxp_handlers, ns_separator); for l in file:lines() do parser:parse(l); end parser:parse(); parser:close(); file:close();