aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2011-06-01 23:02:10 +0100
committerMatthew Wild <mwild1@gmail.com>2011-06-01 23:02:10 +0100
commita587c56a9fb55635be7ed84c58e66bd152b5293c (patch)
tree3f408a36d413cf741c9a211fb55b8f3d0551b652
parent544b19989df4fac1a95af676c7da45d8e17c1263 (diff)
downloadprosody-a587c56a9fb55635be7ed84c58e66bd152b5293c.tar.gz
prosody-a587c56a9fb55635be7ed84c58e66bd152b5293c.zip
util.xmppstream: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning.
-rw-r--r--util/xmppstream.lua21
1 files changed, 21 insertions, 0 deletions
diff --git a/util/xmppstream.lua b/util/xmppstream.lua
index a13e9d32..f92c5ffa 100644
--- a/util/xmppstream.lua
+++ b/util/xmppstream.lua
@@ -19,6 +19,16 @@ local setmetatable = setmetatable;
local default_log = require "util.logger".init("xmppstream");
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+
+if not lxp_supports_doctype then
+ default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+ .."vulnerable to denial-of-service attacks. You should upgrade to "
+ .."LuaExpat 1.1.1 or higher as soon as possible. See "
+ .."http://prosody.im/doc/depends#luaexpat for more information.");
+end
+
local error = error;
module "xmppstream"
@@ -158,6 +168,17 @@ function new_sax_handlers(session, stream_callbacks)
end
end
+ local function restricted_handler()
+ cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+ end
+
+ if lxp_supports_doctype then
+ xml_handlers.StartDoctypeDecl = restricted_handler;
+ end
+ xml_handlers.Comment = restricted_handler;
+ xml_handlers.StartCdataSection = restricted_handler;
+ xml_handlers.ProcessingInstruction = restricted_handler;
+
local function reset()
stanza, chardata = nil, {};
stack = {};