Software / code / prosody
Changeset
12202:ebeb4d959fb3 0.11 0.11.13
util.xml: Deduplicate handlers for restricted XML
Makes the code more like util.xmppstream, allowing easier comparisons if
we ever need to apply fixes in the future.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 20 Jan 2022 10:51:46 +0100 |
| parents | 12201:e5e0ab93d7f4 |
| children | 12203:320de3e4b579 12210:458c5f8d5d3e |
| files | util/xml.lua |
| diffstat | 1 files changed, 5 insertions(+), 12 deletions(-) [+] |
line wrap: on
line diff
--- a/util/xml.lua Thu Jan 20 09:57:20 2022 +0100 +++ b/util/xml.lua Thu Jan 20 10:51:46 2022 +0100 @@ -66,23 +66,16 @@ stanza:up(); end -- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs. - function handler:StartDoctypeDecl() - if not self.stop or not self:stop() then + local function restricted_handler(parser) + if not parser.stop or not parser:stop() then error("Failed to abort parsing"); end end - function handler:ProcessingInstruction() - if not self.stop or not self:stop() then - error("Failed to abort parsing"); - end - end + handler.StartDoctypeDecl = restricted_handler; + handler.ProcessingInstruction = restricted_handler; if not options or not options.allow_comments then -- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data - function handler:Comment() - if not self.stop or not self:stop() then - error("Failed to abort parsing"); - end - end + handler.Comment = restricted_handler; end local parser = lxp.new(handler, ns_separator); local ok, err, line, col = parser:parse(xml);
