# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1306967124 -3600
# Node ID 683523db4fe83ecbd18881df1f7802fbb21311d5
# Parent  3976bad56640fbbe6b1b38a96487c5eae1642231# Parent  a37522bf6b1bb0db231110760dfb99e0dee3a7d3
Merge 0.6->0.7

diff -r 3976bad56640 -r 683523db4fe8 core/xmlhandlers.lua
--- a/core/xmlhandlers.lua	Fri Jul 23 09:17:11 2010 +0100
+++ b/core/xmlhandlers.lua	Wed Jun 01 23:25:24 2011 +0100
@@ -17,6 +17,16 @@
 
 local default_log = require "util.logger".init("xmlhandlers");
 
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+
+if not lxp_supports_doctype then
+	default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+		.."vulnerable to denial-of-service attacks. You should upgrade to "
+		.."LuaExpat 1.1.1 or higher as soon as possible. See "
+		.."http://prosody.im/doc/depends#luaexpat for more information.");
+end
+
 local error = error;
 
 module "xmlhandlers"
@@ -139,6 +149,18 @@
 			stanza, chardata = nil, {};
 		end
 	end
+
+	local function restricted_handler()
+		cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+	end
+
+	if lxp_supports_doctype then
+		xml_handlers.StartDoctypeDecl = restricted_handler;
+	end
+	xml_handlers.Comment = restricted_handler;
+	xml_handlers.StartCdataSection = restricted_handler;
+	xml_handlers.ProcessingInstruction = restricted_handler;
+
 	return xml_handlers;
 end