aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/http.lua2
-rw-r--r--plugins/mod_blocklist.lua6
-rw-r--r--plugins/mod_legacyauth.lua4
-rw-r--r--plugins/mod_saslauth.lua19
-rw-r--r--plugins/mod_tls.lua2
-rwxr-xr-xprosodyctl4
-rw-r--r--util/stanza.lua15
7 files changed, 26 insertions, 26 deletions
diff --git a/net/http.lua b/net/http.lua
index 35e02fdf..357b7452 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -165,7 +165,7 @@ function request(u, ex, callback)
local sslctx = false;
if using_https then
- sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2" } };
+ sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
end
local handler, conn = server.addclient(host, port_number, listener, "*a", sslctx)
diff --git a/plugins/mod_blocklist.lua b/plugins/mod_blocklist.lua
index 1f09ca13..70bfb5fc 100644
--- a/plugins/mod_blocklist.lua
+++ b/plugins/mod_blocklist.lua
@@ -43,7 +43,6 @@ end
-- Migrates from the old mod_privacy storage
local function migrate_privacy_list(username)
local migrated_data = { [false] = "not empty" };
- module:log("info", "Migrating blocklist from mod_privacy storage for user '%s'", username);
local legacy_data = module:open_store("privacy"):get(username);
if legacy_data and legacy_data.lists and legacy_data.default then
legacy_data = legacy_data.lists[legacy_data.default];
@@ -52,6 +51,7 @@ local function migrate_privacy_list(username)
return migrated_data;
end
if legacy_data then
+ module:log("info", "Migrating blocklist from mod_privacy storage for user '%s'", username);
local item, jid;
for i = 1, #legacy_data do
item = legacy_data[i];
@@ -149,7 +149,9 @@ local function edit_blocklist(event)
for jid, in_roster in pairs(new) do
if not blocklist[jid] and in_roster and sessions[username] then
for _, session in pairs(sessions[username].sessions) do
- module:send(st.presence({ type = "unavailable", to = jid, from = session.full_jid }));
+ if session.presence then
+ module:send(st.presence({ type = "unavailable", to = jid, from = session.full_jid }));
+ end
end
end
end
diff --git a/plugins/mod_legacyauth.lua b/plugins/mod_legacyauth.lua
index 54cbec24..5edc26bb 100644
--- a/plugins/mod_legacyauth.lua
+++ b/plugins/mod_legacyauth.lua
@@ -11,8 +11,8 @@
local st = require "util.stanza";
local t_concat = table.concat;
-local secure_auth_only = module:get_option("c2s_require_encryption")
- or module:get_option("require_encryption")
+local secure_auth_only = module:get_option("c2s_require_encryption",
+ module:get_option("require_encryption"))
or not(module:get_option("allow_unencrypted_plain_auth"));
local sessionmanager = require "core.sessionmanager";
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 9e63b4c7..e42adbe1 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -16,8 +16,10 @@ local base64 = require "util.encodings".base64;
local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
local tostring = tostring;
-local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
-local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth")
+local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
+local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
+local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
+local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", {});
local log = module._log;
@@ -183,9 +185,12 @@ module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
end
local mechanism = stanza.attr.mechanism;
- if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then
+ if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then
session.send(build_reply("failure", "encryption-required"));
return true;
+ elseif disabled_mechanisms:contains(mechanism) then
+ session.send(build_reply("failure", "invalid-mechanism"));
+ return true;
end
local valid_mechanism = session.sasl_handler:select(mechanism);
if not valid_mechanism then
@@ -231,11 +236,15 @@ module:hook("stream-features", function(event)
end
local mechanisms = st.stanza("mechanisms", mechanisms_attr);
for mechanism in pairs(origin.sasl_handler:mechanisms()) do
- if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then
+ if (not disabled_mechanisms:contains(mechanism)) and (origin.secure or not insecure_mechanisms:contains(mechanism)) then
mechanisms:tag("mechanism"):text(mechanism):up();
end
end
- if mechanisms[1] then features:add_child(mechanisms); end
+ if mechanisms[1] then
+ features:add_child(mechanisms);
+ else
+ (origin.log or log)("warn", "No SASL mechanisms to offer");
+ end
else
features:tag("bind", bind_attr):tag("required"):up():up();
features:tag("session", xmpp_session_attr):tag("optional"):up():up();
diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index 351aaffc..f2d76c38 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -9,7 +9,7 @@
local create_context = require "core.certmanager".create_context;
local st = require "util.stanza";
-local c2s_require_encryption = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
+local c2s_require_encryption = module:get_option("c2s_require_encryption", module:get_option("require_encryption"));
local s2s_require_encryption = module:get_option("s2s_require_encryption");
local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
local s2s_secure_auth = module:get_option("s2s_secure_auth");
diff --git a/prosodyctl b/prosodyctl
index df8c8e75..bfb118c3 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -552,7 +552,7 @@ function commands.about(arg)
print(" "..path);
end
print("");
- local luarocks_status = (pcall(require, "luarocks.loader") and "Installed ("..(luarocks.cfg.program_version or "2.x+")..")")
+ local luarocks_status = (pcall(require, "luarocks.loader") and "Installed ("..(package.loaded["luarocks.cfg"].program_version or "2.x+")..")")
or (pcall(require, "luarocks.require") and "Installed (1.x)")
or "Not installed";
print("LuaRocks: ", luarocks_status);
@@ -816,7 +816,7 @@ function commands.check(arg)
if not what or what == "config" then
print("Checking config...");
local deprecated = set.new({
- "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login",
+ "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", "require_encryption",
});
local known_global_options = set.new({
"pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize",
diff --git a/util/stanza.lua b/util/stanza.lua
index 3d7caf8c..82601e63 100644
--- a/util/stanza.lua
+++ b/util/stanza.lua
@@ -202,19 +202,8 @@ end
local xml_escape
do
- local escape_table = {
- ["'"] = "'";
- ['"'] = """;
- ["<"] = "&lt;";
- [">"] = "&gt;";
- ["&"] = "&amp;";
- -- escape this whitespace because [\r\n\t] change into spaces in attributes
- -- and \r\n changes into \n in text, and we want to preserve original bytes
- ["\t"] = "&#x9;";
- ["\n"] = "&#xA;";
- ["\r"] = "&#xD;";
- };
- function xml_escape(str) return (s_gsub(str, "['&<>\"\t\n\r]", escape_table)); end
+ local escape_table = { ["'"] = "&apos;", ["\""] = "&quot;", ["<"] = "&lt;", [">"] = "&gt;", ["&"] = "&amp;" };
+ function xml_escape(str) return (s_gsub(str, "['&<>\"]", escape_table)); end
_M.xml_escape = xml_escape;
end