prosody
53e0ae770917
util/paths.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

util/paths.lua @ 12180:53e0ae770917

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
author Jonas Schäfer <jonas@wielicki.name>
date Mon, 10 Jan 2022 18:23:54 +0100
parent 11183:2ac63715ef6f
line wrap: on
line source

local t_concat = table.concat;

local path_sep = package.config:sub(1,1);

local path_util = {}

-- Helper function to resolve relative paths (needed by config)
function path_util.resolve_relative_path(parent_path, path)
	if path then
		-- Some normalization
		parent_path = parent_path:gsub("%"..path_sep.."+$", "");
		path = path:gsub("^%.%"..path_sep.."+", "");

		local is_relative;
		if path_sep == "/" and path:sub(1,1) ~= "/" then
			is_relative = true;
		elseif path_sep == "\\" and (path:sub(1,1) ~= "/" and (path:sub(2,3) ~= ":\\" and path:sub(2,3) ~= ":/")) then
			is_relative = true;
		end
		if is_relative then
			return parent_path..path_sep..path;
		end
	end
	return path;
end

-- Helper function to convert a glob to a Lua pattern
function path_util.glob_to_pattern(glob)
	return "^"..glob:gsub("[%p*?]", function (c)
		if c == "*" then
			return ".*";
		elseif c == "?" then
			return ".";
		else
			return "%"..c;
		end
	end).."$";
end

function path_util.join(a, b, c, ...) -- (... : string) --> string
	-- Optimization: Avoid creating table for most uses
	if b then
		if c then
			if ... then
				return t_concat({a,b,c,...}, path_sep);
			end
			return a..path_sep..b..path_sep..c;
		end
		return a..path_sep..b;
	end
	return a;
end

function path_util.complement_lua_path(installer_plugin_path)
	-- Checking for duplicates
	-- The commands using luarocks need the path to the directory that has the /share and /lib folders.
	local lua_version = _VERSION:match(" (.+)$");
	local lua_path_sep = package.config:sub(3,3);
	local dir_sep = package.config:sub(1,1);
	local sub_path = dir_sep.."lua"..dir_sep..lua_version..dir_sep;
	if not string.find(package.path, installer_plugin_path, 1, true) then
		package.path = package.path..lua_path_sep..installer_plugin_path..dir_sep.."share"..sub_path.."?.lua";
		package.path = package.path..lua_path_sep..installer_plugin_path..dir_sep.."share"..sub_path.."?"..dir_sep.."init.lua";
	end
	if not string.find(package.path, installer_plugin_path, 1, true) then
		package.cpath = package.cpath..lua_path_sep..installer_plugin_path..dir_sep.."lib"..sub_path.."?.so";
	end
end

return path_util;