prosody
38c95544b7ee
spec/scansion/http_upload.scs
Software / code / prosody
File
spec/scansion/http_upload.scs @ 13289:38c95544b7ee
mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default
This channel binding method is now enabled when a hash is manually set in the
config, or it attempts to discover the hash automatically if the value is the
special string "auto".
A related change to mod_c2s prevents complicated certificate lookups in the
client connection hot path - this work now happens only when this channel
binding method is used. I'm not aware of anything else that uses ssl_cfg (vs
ssl_ctx).
Rationale for disabling by default:
- Minor performance impact in automatic cert detection
- This method is weak against a leaked/stolen private key (other methods such
as 'tls-exporter' would not be compromised in such a case)
Rationale for keeping the implementation:
- For some deployments, this may be the only method available (e.g. due to
TLS offloading in another process/server).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 26 Oct 2023 15:14:39 +0100 |
| parent | 11360:f36a2e54ac81 |
line wrap: on
line source
# XEP-0363 HTTP Upload with mod_http_file_share [Client] Romeo password: password jid: filesharingenthusiast@localhost/krxLaE3s ----- Romeo connects Romeo sends: <iq to='upload.localhost' type='get' id='932c02fe-4461-4ad4-9c85-54863294b4dc' xml:lang='en'> <request content-type='text/plain' filename='verysmall.dat' xmlns='urn:xmpp:http:upload:0' size='5'/> </iq> Romeo receives: <iq id='932c02fe-4461-4ad4-9c85-54863294b4dc' from='upload.localhost' type='result'> <slot xmlns='urn:xmpp:http:upload:0'> <get url='{scansion:any}'/> <put url='{scansion:any}'> <header name='Authorization'></header> </put> </slot> </iq> Romeo sends: <iq to='upload.localhost' type='get' id='46ca64f3-518e-42bd-8e2f-4ab2f6d2224f' xml:lang='en'> <request content-type='text/plain' filename='toolarge.dat' xmlns='urn:xmpp:http:upload:0' size='10000000000'/> </iq> Romeo receives: <iq id='46ca64f3-518e-42bd-8e2f-4ab2f6d2224f' from='upload.localhost' type='error'> <error type='modify'> <not-acceptable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> <text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>File too large</text> <file-too-large xmlns='urn:xmpp:http:upload:0'> <max-file-size>10000000</max-file-size> </file-too-large> </error> </iq> Romeo sends: <iq to='upload.localhost' type='get' id='497c20dd-dda2-4feb-8199-7086e203de46' xml:lang='en'> <request content-type='text/plain' filename='negative.dat' xmlns='urn:xmpp:http:upload:0' size='-1000'/> </iq> Romeo receives: <iq id='497c20dd-dda2-4feb-8199-7086e203de46' from='upload.localhost' type='error'> <error type='modify'> <bad-request xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> <text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>File size must be positive integer</text> </error> </iq> Romeo sends: <iq to='upload.localhost' type='get' id='ac56d83f-a627-4732-8399-60492d1210b6' xml:lang='en'> <request content-type='text/plain' filename='invalid/filename.dat' xmlns='urn:xmpp:http:upload:0' size='1000'/> </iq> Romeo receives: <iq id='ac56d83f-a627-4732-8399-60492d1210b6' from='upload.localhost' type='error'> <error type='modify'> <bad-request xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> <text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Invalid filename</text> </error> </iq> Romeo sends: <iq to='upload.localhost' type='get' id='1401d3b5-7973-486f-85b3-3e63d13c7f0e' xml:lang='en'> <request content-type='application/x-executable' filename='evil.exe' xmlns='urn:xmpp:http:upload:0' size='1000'/> </iq> Romeo receives: <iq id='1401d3b5-7973-486f-85b3-3e63d13c7f0e' from='upload.localhost' type='error'> <error type='modify'> <not-acceptable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> <text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>File type not allowed</text> </error> </iq> Romeo disconnects # recording ended on 2021-01-27T22:10:46Z
