aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* util.format: Escape ASCII control characters in outputKim Alvefur2021-06-152-1/+21
| | | | | | | This should offer some protection against doing evil things to terminals. Doesn't protect against pure broken UTF-8 garbage however. See #734
* util.dbuffer: Fix bugs, remove multi-char support (more complex than first ↵Matthew Wild2021-06-292-24/+3
| | | | | | | | | thought) Character sequences could be split across chunk boundaries. Would require a bunch of code to make that work reliably. Only apply front_consumed on first chunk, and adjust buffer_pos accordingly.
* util.dbuffer: Add read_until() methodMatthew Wild2021-06-292-0/+58
|
* util.prosodyctl.check: Collect options from all global pluginsKim Alvefur2021-05-271-0/+45
|
* util.prosodyctl.check: Format, sort option listings into canonical formKim Alvefur2021-05-271-8/+34
| | | | | Makes merges and diffs easier to read and deal with, especially when using tools to gather options from the codebase.
* mod_admin_adhoc: Log who performs administrative actionsKim Alvefur2021-06-271-13/+25
| | | | Goal is to have some accountability for these privileged actions.
* mod_admin_adhoc: Delete "Get User Password" commandKim Alvefur2021-06-271-36/+0
| | | | | | | | | This doesn't really make sense today. It doesn't even work with mod_auth_internal_hashed, which should be the default. And even with a supporting authentication module, why would we just hand out the password? One use case may be to recover a forgotten password. While not yet included with Prosody, there are better ways to handle forgotten passwords, usually by resetting them to a new password.
* mod_pubsub,mod_pep: Support "max" as 'pubsub#max_items'Kim Alvefur2021-06-098-16/+78
| | | | | | Fixes #1643 API change: The argument to archive_itemstore() changes type to integer
* util.dataforms: Define a integer + "max" datatypeKim Alvefur2020-09-181-0/+9
|
* core.stanza_router: Rename variable to be more specificKim Alvefur2021-06-251-3/+3
|
* mod_external_services: Report overall status as a module statusKim Alvefur2021-06-211-2/+4
| | | | | | | | | | | | | Because during startup, if all items are provided by a different module (e.g. mod_turn_external) then this would log a scary warning even if everything is fine after that other module has been loaded. This way, any persistent problematic state is reported in the console. Errors with individual items should still be reported by prepare(). Now, if you load mod_external_services alone without configuring any services, no error or warning is reported in the log, but maybe that's not so bad with it reported in the console.
* mod_external_services: Validate items as they are addedKim Alvefur2021-06-211-0/+4
|
* mod_external_services: Also validate services added by other modulesKim Alvefur2021-06-211-1/+2
| | | | | | | | This ensures that problems with entries added other modules, e.g. mod_turn_external, are reported on startup. However, this depends on load order and whether a `module:depends()` call comes before the `module:add_item()` call. A followup commit will do something about that.
* mod_storage_sql: Fix for move of yes/no function (Thanks Kasim)Kim Alvefur2021-06-211-2/+2
|
* mod_s2s: Remove duplicate method call (thanks luacheck)Kim Alvefur2021-06-211-1/+0
| | | | Should have been removed in the previous commit.
* mod_s2s: Guard against LuaSec not returning TLS info here tooKim Alvefur2021-06-211-1/+2
| | | | See previous commit to mod_c2s: a62146353528
* mod_c2s: Guard against LuaSec not returning TLS info (thanks Martin)Kim Alvefur2021-06-211-4/+4
| | | | | | | | | The :info() method has been observed to return nothing ... sometimes. Unclear what causes it. Perhaps the TLS connection was shut down or hasn't fully settled? The LuaSec code has code paths that return nothing or nil, error, so it is best to guard against it.
* doap: Update XEP-0368 entry with mention of direct_tls_portsKim Alvefur2021-06-201-1/+1
|
* CHANGES: Add Direct TLS supportKim Alvefur2021-06-201-0/+1
| | | | | | | | Since there is now support for SNI with per-host certificates as well as support in `prosodyctl check dns`. Previous "support" was just the 'legacy_ssl' option, which didn't have much other supporting code.
* mod_c2s: Log the same messages for Direct TLS as with starttlsKim Alvefur2021-06-201-1/+6
| | | | ^C^V
* mod_c2s: Update a comment to reflect Direct TLSKim Alvefur2021-06-201-1/+1
|
* util.prosodyctl.check: Ensure that libunbound does not check hosts fileKim Alvefur2021-06-201-0/+3
| | | | | | This fixes wrongly reported DNS problems on some distros where the hosts file contains an entry for the local machine, pointing at a loopback address such as 127.0.1.1 or similar.
* util.prosodyctl.check: Deprecate legacy_ssl related optionsKim Alvefur2021-06-201-0/+1
|
* util.prosodyctl.check: Add support for checking Direct TLS SRV recordsKim Alvefur2021-06-201-1/+23
|
* mod_c2s: Add a Direct TLS listenerKim Alvefur2021-06-201-0/+10
| | | | | This only differs from 'legacy_ssl' in name, at least on the server side. For clients this is the one that uses SRV records.
* util.prosodyctl.check: Fix for net.dns vs unbound API differenceKim Alvefur2021-06-201-2/+2
| | | | | net.dns returns nil for NXDOMAIN, while net.unbound returns a table with zero items and various status fields.
* util.prosodyctl.check: Add knowledge of the global-only 'use_ipv4' settingKim Alvefur2021-06-201-1/+1
|
* mod_http_file_share: Update comment about x-frame-optionsKim Alvefur2021-06-201-1/+1
| | | | | | | | | X-Frame-Options was replaced by the Content-Security-Policy 'frame-ancestors' directive, but Internet Explorer does not support that part of CSP. Since it's just one line it doesn't hurt to keep until some future spring cleaning event :)
* CHANGES: Add OpenMetrics changes to StatisticsKim Alvefur2021-06-191-0/+1
|
* mod_s2s: Bail if connection is destroyed after attempting to open streamKim Alvefur2021-06-161-0/+5
| | | | | | | | | | Fixes "attempt to compare number with nil" because `session.version` has been cleared by s2smanager.destroy_session. This can happen with the server_epoll setting opportunistic_writes enabled, which means that it can notice that the connection failed at this point, after which it triggers the whole chain of events that leads to session destruction and "cleaning" most of the session fields.
* mod_c2s,mod_s2s: Collect stats on TLS versions and ciphersKim Alvefur2021-06-162-0/+13
|
* mod_admin_shell: module:info: List 'items' that can be formatted easilyKim Alvefur2021-06-121-0/+14
| | | | | Some items like HTTP providers would be very verbose, others are tricky to handle.
* mod_admin_shell: module:info: Show friendlier name for known 'items'Kim Alvefur2021-06-121-1/+9
|
* mod_admin_shell: module:info: List provided 'items'Kim Alvefur2021-06-121-0/+6
|
* mod_admin_shell: module:info: Use existing host string representationKim Alvefur2021-06-121-8/+2
| | | | | | Hosts have a metatable __tostring method that produces a nice representation such as `VirtualHost "example.com"`, which even includes the component module for internal components.
* mod_admin_shell: module:info: List dependenciesKim Alvefur2021-06-121-0/+6
|
* mod_admin_shell: module:info: Show module statusKim Alvefur2021-06-121-0/+3
|
* mod_admin_shell: Add basic command that shows more info about loaded modulesKim Alvefur2021-06-121-0/+29
| | | | | To show info about loaded modules. Inspired by the desire to know whether a module was loaded from the core set or 3rd party.
* util.openmetrics: Use pack from util.table, detect appropriate unpack for ↵Matthew Wild2021-06-141-4/+5
| | | | Lua 5.1 (thanks sups)
* mod_turn_external: Simple module to offer TURN(+STUN) via mod_external_servicesKim Alvefur2021-01-212-1/+30
|
* core.portmanager: Also reload per-SNI certificatesKim Alvefur2021-06-101-1/+3
|
* core.portmanager: Reload direct TLS certificates after config reloadKim Alvefur2021-06-101-0/+21
| | | | | This should re-create all contexts the same way as when the service was activated, which reloads certificates.
* core.portmanager: Factor out base TLS context creation for reuseKim Alvefur2021-06-101-10/+15
| | | | Thinking I can use this to reload certificates after config reload
* net.server_epoll: Add missing method for changing TLS contextKim Alvefur2021-06-101-0/+4
| | | | | Supported by the other net.server implementations already, but not used anywhere in Prosody.
* mod_http_file_share: Build list of measuring buckets for configured size limitKim Alvefur2021-06-081-1/+7
| | | | | Creates buckets up to the configured size limit or 1TB, whichever is smaller, e.g. {1K, 4K, 16K, ... 4M, 16M}
* util.openmetrics: Prettify format of histogram bucketsKim Alvefur2021-06-081-1/+1
| | | | | | | | | "%g" turns 1GB into 1.07374e+09, which is a bit awkward for the bytes measurements IMO. Turning up the precision, at "%.17g" turns 0.1 into 0.10000000000000001 while "%0.16" gives 0.1, hiding most of those pesky floating point artefacts. Lua version 5.2 uses "%.14g" ( see LUA_NUMBER_FMT in luaconf.h.html ) so it seems like a sensible choice here.
* net.server_epoll: Fix reporting of socket connect timeoutKim Alvefur2021-06-071-0/+2
| | | | | | | | | | | | | | | | | | | If the underlying TCP connection times out before the write timeout kicks in, end up here with err="timeout", which the following code treats as a minor issue. Then, due to epoll apparently returning the EPOLLOUT (writable) event too, we go on and try to write to the socket (commonly stream headers). This fails because the socket is closed, which becomes the error returned up the stack to the rest of Prosody. This also trips the 'onconnect' signal, which has effects on various things, such as the net.connect state machine. Probably undesirable effects. With this, we instead return "connection timeout", like server_event, and destroy the connection handle properly. And then nothing else happens because the connection has been destroyed.
* core.certmanager: Skip service certificate lookup for https clientKim Alvefur2021-05-271-1/+2
| | | | | | Quick Fix\u{2122} to stop prevent certmanager from automatically adding a client certificate for net.http.request, since this normally does not require such.
* core.portmanager: Fix race condition in initialization of SNI cert mapKim Alvefur2021-05-281-2/+2
| | | | | | | | | | | | | | | | | Under some circumstances when hosts and modules are loaded in some certain order, entries end up missing from the SNI map. This manifests in e.g. `curl https://localhost:5281/` giving an error about "unrecognized name". The `service` argument is `nil` when invoked from the "host-activated" event, leading it to iterating over every service. And then it would not be fetching e.g. `http_host` from the config, which explains why https would sometimes not work due to the missing name entry. Because when `service` is included, this limits the iteration to matching entries, while also returning the same value as the `name` loop variable. Because `name == service when service != nil` we can use name instead in the body of the loop.
* scansion: Really silence the certificates dir errorKim Alvefur2021-05-281-1/+1
| | | | certificate_s_, plural, is the directory setting