Software / code / prosody
Changeset
12203:320de3e4b579
Merge 0.11->trunk
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 20 Jan 2022 13:02:24 +0100 |
| parents | 12200:2bb4ee5f42be (current diff) 12202:ebeb4d959fb3 (diff) |
| children | 12204:7c397a49d163 |
| files | util/xml.lua |
| diffstat | 2 files changed, 6 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgtags Wed Jan 19 10:28:09 2022 +0100 +++ b/.hgtags Thu Jan 20 13:02:24 2022 +0100 @@ -79,3 +79,4 @@ d0e9ffccdef934af554ea2d4a5beb9a52e9e951d 0.11.9 d117b92fd8e459170a98a8dece7f3930f4b6aed7 0.11.10 76b4e3f12b53fedae96402d87fa9ee79e704ce5e 0.11.11 +783056b4e4480389d0e27883289b1bfef57e4729 0.11.12
--- a/util/xml.lua Wed Jan 19 10:28:09 2022 +0100 +++ b/util/xml.lua Thu Jan 20 13:02:24 2022 +0100 @@ -65,27 +65,19 @@ function handler:EndElement() stanza:up(); end - local parser; -- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs. - function handler:StartDoctypeDecl() + local function restricted_handler(parser) if not parser.stop or not parser:stop() then error("Failed to abort parsing"); end end - function handler:ProcessingInstruction() - if not parser.stop or not parser:stop() then - error("Failed to abort parsing"); - end - end + handler.StartDoctypeDecl = restricted_handler; + handler.ProcessingInstruction = restricted_handler; if not options or not options.allow_comments then -- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data - function handler:Comment() - if not parser.stop or not parser:stop() then - error("Failed to abort parsing"); - end - end + handler.Comment = restricted_handler; end - parser = lxp.new(handler, ns_separator); + local parser = lxp.new(handler, ns_separator); local ok, err, line, col = parser:parse(xml); if ok then ok, err, line, col = parser:parse(); end --parser:close();
