aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2020-11-11 16:00:41 +0100
committerKim Alvefur <zash@zash.se>2020-11-11 16:00:41 +0100
commit8328e6681e7a999c59be05c9e08158a0cf9f95d0 (patch)
treee750b29cd09996fd6d557a93df15a226e465e6ba
parent63f44f3640ba88bec4b910b27a1e0801cb0c0fcf (diff)
downloadprosody-8328e6681e7a999c59be05c9e08158a0cf9f95d0.tar.gz
prosody-8328e6681e7a999c59be05c9e08158a0cf9f95d0.zip
util.stanza: Reject ASCII control characters (fixes #1606)
-rw-r--r--spec/util_stanza_spec.lua1
-rw-r--r--util/stanza.lua10
2 files changed, 10 insertions, 1 deletions
diff --git a/spec/util_stanza_spec.lua b/spec/util_stanza_spec.lua
index 6fbae41a..da29f890 100644
--- a/spec/util_stanza_spec.lua
+++ b/spec/util_stanza_spec.lua
@@ -200,6 +200,7 @@ describe("util.stanza", function()
["number"] = 1234, ["table"] = {};
["utf8"] = string.char(0xF4, 0x90, 0x80, 0x80);
["nil"] = "nil"; ["boolean"] = true;
+ ["control characters"] = "\0\1\2\3";
};
for value_type, value in pairs(invalid_names) do
diff --git a/util/stanza.lua b/util/stanza.lua
index a90d56b3..cf2818ec 100644
--- a/util/stanza.lua
+++ b/util/stanza.lua
@@ -45,6 +45,10 @@ local _ENV = nil;
local stanza_mt = { __name = "stanza" };
stanza_mt.__index = stanza_mt;
+local function valid_xml_cdata(str, attr)
+ return not s_find(str, attr and "[^\1\9\10\13\20-~\128-\247]" or "[^\9\10\13\20-~\128-\247]");
+end
+
local function check_name(name, name_type)
if type(name) ~= "string" then
error("invalid "..name_type.." name: expected string, got "..type(name));
@@ -52,6 +56,8 @@ local function check_name(name, name_type)
error("invalid "..name_type.." name: empty string");
elseif s_find(name, "[<>& '\"]") then
error("invalid "..name_type.." name: contains invalid characters");
+ elseif not valid_xml_cdata(name, name_type == "attribute") then
+ error("invalid "..name_type.." name: contains control characters");
elseif not valid_utf8(name) then
error("invalid "..name_type.." name: contains invalid utf8");
end
@@ -60,7 +66,9 @@ end
local function check_text(text, text_type)
if type(text) ~= "string" then
error("invalid "..text_type.." value: expected string, got "..type(text));
- elseif not valid_utf8(text) then
+ elseif not valid_xml_cdata(text) then
+ error("invalid "..text_type.." value: contains control characters");
+ elseif not valid_utf8(text, false) then
error("invalid "..text_type.." value: contains invalid utf8");
end
end