diff options
author | Matthew Wild <mwild1@gmail.com> | 2011-06-01 23:02:10 +0100 |
---|---|---|
committer | Matthew Wild <mwild1@gmail.com> | 2011-06-01 23:02:10 +0100 |
commit | a587c56a9fb55635be7ed84c58e66bd152b5293c (patch) | |
tree | 3f408a36d413cf741c9a211fb55b8f3d0551b652 | |
parent | 544b19989df4fac1a95af676c7da45d8e17c1263 (diff) | |
download | prosody-a587c56a9fb55635be7ed84c58e66bd152b5293c.tar.gz prosody-a587c56a9fb55635be7ed84c58e66bd152b5293c.zip |
util.xmppstream: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning.
-rw-r--r-- | util/xmppstream.lua | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/util/xmppstream.lua b/util/xmppstream.lua index a13e9d32..f92c5ffa 100644 --- a/util/xmppstream.lua +++ b/util/xmppstream.lua @@ -19,6 +19,16 @@ local setmetatable = setmetatable; local default_log = require "util.logger".init("xmppstream"); +-- COMPAT: w/LuaExpat 1.1.0 +local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false }); + +if not lxp_supports_doctype then + default_log("warn", "The version of LuaExpat on your system leaves Prosody " + .."vulnerable to denial-of-service attacks. You should upgrade to " + .."LuaExpat 1.1.1 or higher as soon as possible. See " + .."http://prosody.im/doc/depends#luaexpat for more information."); +end + local error = error; module "xmppstream" @@ -158,6 +168,17 @@ function new_sax_handlers(session, stream_callbacks) end end + local function restricted_handler() + cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1."); + end + + if lxp_supports_doctype then + xml_handlers.StartDoctypeDecl = restricted_handler; + end + xml_handlers.Comment = restricted_handler; + xml_handlers.StartCdataSection = restricted_handler; + xml_handlers.ProcessingInstruction = restricted_handler; + local function reset() stanza, chardata = nil, {}; stack = {}; |