Software `/` code `/` prosody

--- a/.hgtags	Wed Jan 06 03:28:56 2016 +0100
+++ b/.hgtags	Fri Jan 08 16:16:08 2016 +0100
@@ -56,3 +56,4 @@
 e4b998ffc92249ea96716ab878f961f03769339d 0.9.6
 9030b056bd4a5b8402c9b1e1cd65dd35f046032f 0.9.7
 b1c84d220c409b7b17cd41e850576db253406b0a 0.9.8
+7ec52755622f1009aaf7b02fc9bc91e8ad9974be 0.9.9
--- a/net/dns.lua	Wed Jan 06 03:28:56 2016 +0100
+++ b/net/dns.lua	Fri Jan 08 16:16:08 2016 +0100
@@ -591,7 +591,7 @@
 		if resolv_conf then
 			for line in resolv_conf:lines() do
 				line = line:gsub("#.*$", "")
-					:match('^%s*nameserver%s+([%x:%.]*)%s*$');
+					:match('^%s*nameserver%s+([%x:%.]*%%?%S*)%s*$');
 				if line then
 					local ip = new_ip(line);
 					if ip then
@@ -853,7 +853,9 @@
 					--self.print(response);

 					for j,rr in pairs(response.answer) do
-						self:remember(rr, response.question[1].type)
+						if rr.name:sub(-#response.question[1].name, -1) == response.question[1].name then
+							self:remember(rr, response.question[1].type)
+						end
 					end

 					-- retire the query
--- a/plugins/mod_http_files.lua	Wed Jan 06 03:28:56 2016 +0100
+++ b/plugins/mod_http_files.lua	Fri Jan 08 16:16:08 2016 +0100
@@ -49,6 +49,34 @@
 	end
 end

+local forbidden_chars_pattern = "[/%z]";
+if prosody.platform == "windows" then
+	forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]"
+end
+
+local urldecode = require "util.http".urldecode;
+function sanitize_path(path)
+	local out = {};
+
+	local c = 0;
+	for component in path:gmatch("([^/]+)") do
+		component = urldecode(component);
+		if component:find(forbidden_chars_pattern) then
+			return nil;
+		elseif component == ".." then
+			if c <= 0 then
+				return nil;
+			end
+			out[c] = nil;
+			c = c - 1;
+		elseif component ~= "." then
+			c = c + 1;
+			out[c] = component;
+		end
+	end
+	return "/"..table.concat(out, "/");
+end
+
 local cache = setmetatable({}, { __mode = "kv" }); -- Let the garbage collector have it if it wants to.

 function serve(opts)
@@ -60,7 +88,11 @@
 	local directory_index = opts.directory_index;
 	local function serve_file(event, path)
 		local request, response = event.request, event.response;
-		local orig_path = request.path;
+		path = sanitize_path(path);
+		if not path then
+			return 400;
+		end
+		local orig_path = sanitize_path(request.path);
 		local full_path = base_path .. (path and "/"..path or ""):gsub("/", path_sep);
 		local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows
 		if not attr then
--- a/tests/test.lua	Wed Jan 06 03:28:56 2016 +0100
+++ b/tests/test.lua	Fri Jan 08 16:16:08 2016 +0100
@@ -14,6 +14,7 @@
 	dotest "util.multitable"
 	dotest "util.rfc6724"
 	dotest "util.http"
+	dotest "core.modulemanager"
 	dotest "core.stanza_router"
 	dotest "core.s2smanager"
 	dotest "core.configmanager"
@@ -140,9 +141,12 @@
 	end

 	local oldmodule, old_M = _fakeG.module, _fakeG._M;
-	_fakeG.module = function () _M = unit end
+	_fakeG.module = function ()
+		setmetatable(unit, nil);
+		unit._M = unit;
+	end
 	setfenv(chunk, unit);
-	local success, ret = pcall(chunk);
+	local success, err = pcall(chunk);
 	_fakeG.module, _fakeG._M = oldmodule, old_M;
 	if not success then
 		print("WARNING: ", "Failed to initialise module: "..unitname, err);
--- a/util/ip.lua	Wed Jan 06 03:28:56 2016 +0100
+++ b/util/ip.lua	Fri Jan 08 16:16:08 2016 +0100
@@ -25,6 +25,10 @@
 	elseif proto ~= "IPv4" and proto ~= "IPv6" then
 		return nil, "invalid protocol";
 	end
+	local zone;
+	if proto == "IPv6" and ipStr:find('%', 1, true) then
+		ipStr, zone = ipStr:match("^(.-)%%(.*)");
+	end
 	if proto == "IPv6" and ipStr:find('.', 1, true) then
 		local changed;
 		ipStr, changed = ipStr:gsub(":(%d+)%.(%d+)%.(%d+)%.(%d+)$", function(a,b,c,d)
@@ -33,7 +37,7 @@
 		if changed ~= 1 then return nil, "invalid-address"; end
 	end

-	return setmetatable({ addr = ipStr, proto = proto }, ip_mt);
+	return setmetatable({ addr = ipStr, proto = proto, zone = zone }, ip_mt);
 end

 local function toBits(ip)