aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* util.xml: Deduplicate handlers for restricted XML0.11.13Kim Alvefur2022-01-201-12/+5
| | | | | Makes the code more like util.xmppstream, allowing easier comparisons if we ever need to apply fixes in the future.
* util.xml: Break reference to help the GC (fix #1711)Kim Alvefur2022-01-201-5/+4
| | | | | | | | | | | | | | | | LuaExpat uses a registry reference to track handlers, which makes it so that an upvalue like this creates a reference loop that keeps the parser and its handlers from being garbage collected. The same issue has affected util.xmppstream in the past. Code for checking: local xml_parse = require"util.xml".parse; for i = 1, 10000 do xml_parse("<root/>") end collectgarbage(); collectgarbage(); print(collectgarbage("count"), "KiB"); A future release of LuaExpat may fix the underlying issue there.
* Added tag 0.11.12 for changeset 783056b4e448Matthew Wild2022-01-130-0/+0
|
* util.xml: Do not allow doctypes, comments or processing instructions0.11.12Jonas Schäfer2022-01-102-3/+56
| | | | | | | | | | | | | | | | | | Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
* Tag 0.11.11Kim Alvefur2021-12-200-0/+0
|
* mod_pep: Wipe pubsub service on user deletion0.11.11Kim Alvefur2021-11-041-0/+15
| | | | | | | Data is already wiped from storage, but this ensures everything is properly unsubscribed, possibly with notifications etc. Clears recipient cache as well, since it is no longer relevant.
* mod_pep: Prevent creation of services for non-existent usersKim Alvefur2021-11-041-0/+15
| | | | | Using a dedicated service should give identical behavior, except for a possible timing difference in the user existence lookup.
* mod_pep: Limit possible growth of node subscription infoKim Alvefur2021-11-041-2/+5
|
* mod_pep: Limit possible growth of number of pubsub servicesKim Alvefur2021-11-041-2/+16
|
* mod_pep: Don't pass pubsub services across reloadsKim Alvefur2021-11-041-6/+0
| | | | Ensures configuration is refreshed, releases some memory.
* net.server_epoll: Process all queued events from epoll before timersKim Alvefur2021-10-211-2/+4
| | | | | | | | | Should call timers less frequently when many sockets are waiting for processing. May help under heavy load. Requested by Ge0rG Backport of 2bcd84123eba requested by Roi
* util.startup: Correctly point out unknown short param (fixes #1691)Kim Alvefur2021-10-121-1/+1
|
* Merge wayward 0.11.10 tag commitKim Alvefur2021-10-010-0/+0
|\
| * Tag 0.11.10Kim Alvefur2021-08-030-0/+0
| |
* | net.server_epoll: Add a hard deadline on shutdown to extra-fix #1670Kim Alvefur2021-09-201-0/+12
| | | | | | | | Should ensure shutdown even if sockets somehow take a very long to get closed.
* | net.server_epoll: Close sockets added after shutdown signal (fixes #1670)Kim Alvefur2021-09-201-0/+6
| | | | | | | | | | This should ensure that sockets get closed even if they are added after the quit signal. Otherwise they may keep the server alive.
* | prosodyctl: Fix later import of LuaFileSystemKim Alvefur2021-09-111-1/+1
| | | | | | | | | | | | lfs or WHAT How did this even happen?
* | net.server_epoll: Fix to preserve ids of readded timersKim Alvefur2021-08-311-2/+2
| | | | | | | | | | | | | | Likely affected rescheduling but have no reports of this. After readding a timer, it would have been issued a new id. Rescheduling would use the previous id, thus not working.
* | makefile: fix prosody.version targetLucas2021-08-151-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | POSIX is quite explicit regarding the precedence of AND-OR lists [0]: > The operators "&&" and "||" shall have equal precedence and shall be > evaluated with left associativity. For example, both of the following > commands write solely `bar` to standard output: > false && echo foo || echo bar > true || echo foo && echo bar Given that, `prosody.version` target behaves as ((((((test -f prosody.release && cp ...) || test -f ...) && sed ...) || test -f ...) && hexdump ...) || echo unknown > $@) In the case of release tarballs, `prosody.release` does exist, so the first AND pair is executed. Given that it's successful, then the first `test -f` in the OR pair is ignored, and instead the `sed` in the AND pair is executed. `sed` success, as `.hg_archival.txt` exists, making the second `test -f` in the OR pair ignored, and `hexdump` in the AND pair is executed. Now, given that `.hg` doesn't exist, it fails, so the last `echo` is run, overwriting `prosody.version` with `unknown`. This can be worked around placing `()` around the AND pairs. Decided to use conditionals instead, as I think they better communicate the intention of the block. [0]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_09_03
* | mod_c2s: Indicate stream secure state in error text when no stream features ↵Matthew Wild2021-07-061-1/+4
|/ | | | to offer
* MUC: Fix logic for access to affiliation lists0.11.10Kim Alvefur2021-07-222-58/+84
| | | | | | Fixes https://prosody.im/security/advisory_20210722/ Backs out 4d7b925652d9
* util.ip: Fix netmask for link-local address rangeKim Alvefur2021-07-031-1/+1
| | | | | | | | | | | This may have mistakenly caused link-local addresses to be considered global. May have caused mod_s2s and prosodyctl check dns to behave incorrectly on networks using link-local IPv4 addresses. By my guesstimate, these are extremely rare. Probably minimal impact beyond a bit longer to establish s2s and some possible confusion from prosodyctl check dns results. Ref RFC 3927
* prosodyctl: Add 'limits' to known globals to warn about misplacing itKim Alvefur2021-05-271-1/+1
| | | | It will do nothing in a VirtualHost section for example.
* mod_pep: Remove obsolete node restoration code (now done by util.pubsub)Kim Alvefur2021-05-161-12/+0
| | | | | | | | | | | | Originally added in 202b9951b037 but util.pubsub gained a better method in 6c2c2fc4b8dd since then, which mod_pep uses since 9194431b6447 which should have deleted this. All these :create calls would have failed with a 'conflict' error, since the nodes had already been created. This was never noticed because of missing error handling. Also note that this code did not restore node configuration.
* util.pubsub: Fix traceback if node data not initializedKim Alvefur2021-05-161-0/+4
| | | | | This should not be possible, but a traceback indicating node_data being nil here was reported by Ron in the chat.
* Added tag 0.11.9 for changeset d0e9ffccdef9Matthew Wild2021-05-120-0/+0
|
* mod_dialback: Remove d-w-d feature0.11.9Kim Alvefur2021-05-122-23/+1
| | | | | | | Backs out 1d0862814bfc and 2fdd71b08126 Largely unused, undocumented and did not have enough tests to provide confidence in its correct operation.
* mod_dialback: Use correct host for certificate check (fixes #1381)Kim Alvefur2019-06-231-2/+1
|
* mod_dialback: Use constant-time comparison with hmacMatthew Wild2021-05-121-1/+2
|
* mod_proxy65: Restrict access to local c2s connections by defaultMatthew Wild2021-05-121-4/+12
| | | | | Previously no 'proxy65_acl' option would allow unrestricted access by local or remote JIDs.
* mod_limits: Use default limits if none configuredMatthew Wild2021-05-111-1/+10
|
* prosody.cfg.lua.dist: Enable rate limits by defaultMatthew Wild2021-05-111-1/+12
|
* prosodyctl about: Report libexpat version if knownMatthew Wild2021-05-111-1/+5
|
* certmanager: Disable renegotiation by defaultMatthew Wild2021-05-111-0/+2
| | | | This requires LuaSec 0.7+ and OpenSSL 1.1.1+
* mod_limits: Don't emit error when no burst period is configuredMatthew Wild2021-05-111-1/+1
|
* core.certmanager: Test for SSL options in absence of LuaSec configKim Alvefur2021-04-261-5/+9
|
* core.certmanager: Attempt to directly access LuaSec config tableKim Alvefur2021-04-261-1/+1
| | | | | Due to a bug this field was not properly exported before See https://github.com/brunoos/luasec/issues/149
* util.xmppstream: Allow dynamically configuring the stanza size limit for a ↵Matthew Wild2021-05-101-0/+3
| | | | | | | stream This may be useful for any plugins that want to experiment with different policies for stanza size limits (e.g. unauthenticated vs authenticated streams).
* util.xmppstream: Mark bytes for stream closure as handledMatthew Wild2021-05-101-0/+3
|
* MUC: Add support for advertising muc#roomconfig_allowinvites in room disco#infoMatthew Wild2021-05-101-2/+10
| | | | | | | | | | | | The de-facto interpretation of this (undocumented) option is to indicate to the client whether it is allowed to invite other users to the MUC. This is differs from the existing option in our config form, which only controls the behaviour of sending of invites in a members-only MUC (we always allow invites in open rooms). Conversations is one client known to use this disco#info item to determine whether it may send invites.
* mod_auth_internal_{plain,hashed}: Use constant-time string comparison for ↵Matthew Wild2021-05-102-3/+5
| | | | secrets
* util.xmppstream: Reduce default xmppstream limit to 1MBMatthew Wild2021-05-101-1/+1
|
* util.set: Add is_set() to test if an object is a setMatthew Wild2021-05-101-2/+8
|
* util.hashes: Add constant-time string comparison (binding to CRYPTO_memcmp)Matthew Wild2021-05-101-0/+14
|
* mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default ↵Matthew Wild2021-05-075-5/+7
| | | | | | | | | | | | stanza size limits c2s/bosh/ws streams will default to 256KB, s2s and components to 512KB. These values are aligned with ejabberd's default settings, which should reduce issues related to inconsistent size limits between servers on the XMPP network. The previous default (10MB) is excessive for any production server, and allows significant memory usage by even unauthenticated sessions.
* util.startup: Set more aggressive defaults for GCMatthew Wild2021-05-071-1/+7
| | | | | | | | | Testing has demonstrated that the default GC parameters are not sufficient to prevent runaway memory growth when running under Lua 5.2 and Lua 5.3. Setting the GC speed to 500 was tested on Lua versions 5.1->5.4 and did not display unbounded memory growth.
* prosodyctl: check config: Add 'gc' to list of global optionsMatthew Wild2021-04-301-1/+1
|
* mod_saslauth: Use a defined SASL errorKim Alvefur2021-03-181-1/+1
|
* mod_saslauth: Improve code styleKim Alvefur2021-03-181-1/+3
| | | | | | This many returns deserve their own line. `session["sasl_handler"]` style isn't used anywhere else.
* mod_c2s: Log about missing conn on async state changesKim Alvefur2021-03-181-0/+4
|