diff options
| author | Matthew Wild <mwild1@gmail.com> | 2011-06-01 23:02:10 +0100 |
|---|---|---|
| committer | Matthew Wild <mwild1@gmail.com> | 2011-06-01 23:02:10 +0100 |
| commit | ad47950b379f1f72b4b990449837a57f55f46533 (patch) | |
| tree | 24c840872a3b942aa17fd15951ec3b63c1ce4c70 /util/xmppstream.lua | |
| parent | 69a4cd5a25e4368bcc162c28138cba1d4d920c86 (diff) | |
| download | prosody-ad47950b379f1f72b4b990449837a57f55f46533.tar.gz prosody-ad47950b379f1f72b4b990449837a57f55f46533.zip | |
util.xmppstream: Reject XML comments, processing instructions and (if supported by LuaExpat) DTDs. If not supported, log a warning.
Diffstat (limited to 'util/xmppstream.lua')
| -rw-r--r-- | util/xmppstream.lua | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/util/xmppstream.lua b/util/xmppstream.lua index cbdadd9b..d1cb652d 100644 --- a/util/xmppstream.lua +++ b/util/xmppstream.lua @@ -16,6 +16,16 @@ local t_concat = table.concat; local default_log = require "util.logger".init("xmppstream"); +-- COMPAT: w/LuaExpat 1.1.0 +local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false }); + +if not lxp_supports_doctype then + default_log("warn", "The version of LuaExpat on your system leaves Prosody " + .."vulnerable to denial-of-service attacks. You should upgrade to " + .."LuaExpat 1.1.1 or higher as soon as possible. See " + .."http://prosody.im/doc/depends#luaexpat for more information."); +end + local error = error; module "xmppstream" @@ -150,6 +160,17 @@ function new_sax_handlers(session, stream_callbacks) end end + local function restricted_handler() + cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1."); + end + + if lxp_supports_doctype then + xml_handlers.StartDoctypeDecl = restricted_handler; + end + xml_handlers.Comment = restricted_handler; + xml_handlers.StartCdataSection = restricted_handler; + xml_handlers.ProcessingInstruction = restricted_handler; + local function reset() stanza, chardata = nil, {}; end |