aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* mod_admin_shell: Add command to show current user rolesKim Alvefur2022-01-231-0/+20
|
* mod_admin_shell: Add help section about rolesKim Alvefur2022-01-231-0/+12
| | | | | | | As in the argument to user:create() and user:roles() Tricky to come up with something sensible to write when Prosody core only knows of the 'prosody:admin' role so far.
* mod_s2s: Retrieve TLS context for outgoing Direct TLS connections from mod_tlsKim Alvefur2022-01-212-8/+17
| | | | | | | | | | So that the same TLS context is used for both Direct TLS and starttls, since they are supposed to be functionally identical apart from the few extra round trips. A new event is added because the 's2s-created' event fires much later, after a connection has already been established, where we need the TLS context before that.
* mod_s2s: Enable outgoing Direct TLS connectionsKim Alvefur2022-01-212-3/+10
| | | | | | | | | | Makes it faster by cutting out the roundtrips involved in <starttls/>, at the cost of making an additional SRV lookup. Since we already ignore a missing <starttls/> offer and try anyway there is not much difference in security. The fact that XMPP is used and the hostnames involved might still be visible until the future Encrypted ClientHello extension allows hiding those too.
* net.connect: Allow passing TLS context from resolverKim Alvefur2022-01-211-1/+2
| | | | | | Only allowing it to be passed directly makes it hard to combine plain (i.e. starttls) and Direct TLS connections in the same connection resolution procedure. But now we can, using chained resolvers!
* net.resolvers.chain: A resolver for combining other resolversKim Alvefur2022-01-211-0/+38
| | | | Say if you wanted to try both _xmpp and _xmpps services
* Merge 0.11->trunkKim Alvefur2022-01-201-13/+5
|\
| * util.xml: Deduplicate handlers for restricted XML0.11.13Kim Alvefur2022-01-201-12/+5
| | | | | | | | | | Makes the code more like util.xmppstream, allowing easier comparisons if we ever need to apply fixes in the future.
| * util.xml: Break reference to help the GC (fix #1711)Kim Alvefur2022-01-201-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LuaExpat uses a registry reference to track handlers, which makes it so that an upvalue like this creates a reference loop that keeps the parser and its handlers from being garbage collected. The same issue has affected util.xmppstream in the past. Code for checking: local xml_parse = require"util.xml".parse; for i = 1, 10000 do xml_parse("<root/>") end collectgarbage(); collectgarbage(); print(collectgarbage("count"), "KiB"); A future release of LuaExpat may fix the underlying issue there.
| * Added tag 0.11.12 for changeset 783056b4e448Matthew Wild2022-01-130-0/+0
| |
| * util.xml: Do not allow doctypes, comments or processing instructions0.11.12Jonas Schäfer2022-01-102-3/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
* | util.prosodyctl.cert: Check success of copy operations, warn on failKim Alvefur2022-01-191-4/+9
| | | | | | | | | | Debugging a case where certs are not imported correctly but prosodyctl still reports success. Hoping this will shed some light on it.
* | util.prosodyctl.cert: Pass variables via formatting instead of concatenationKim Alvefur2022-01-191-5/+5
| | | | | | | | | | Prevents potential weirdness in case there's any %s or such in a host, file or directory name, since show_warning() is printf().
* | tools/xep227toprosody: Remove obsolete tool in favor of storage driverKim Alvefur2022-01-181-269/+0
| | | | | | | | | | | | | | | | | | | | This tool hasn't been updated for recent XEP-0227 changes, hasn't seen many changes at all since its introduction and I don't remember anyone mentioning ever using it. Using mod_storage_xmlarchive and the migrator or the 3rd party mod_migrate tool should work better these days and should be the way forward.
* | core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match ↵Kim Alvefur2022-01-181-3/+3
| | | | | | | | | | | | | | | | documentation Confusion! Thanks Martin
* | core.certmanager: Apply TLS preset before global settings (thanks Menel)Kim Alvefur2022-01-181-1/+1
| | | | | | | | | | | | Allows overriding settings via the global 'ssl' settings as before. This order was probably accidental. That said, 'ssl' is a giant footgun we will want to discourage use of.
* | mod_storage_xep0227: Fix luacheck warningMatthew Wild2022-01-171-1/+1
| |
* | mod_storage_xep0227: Fix traceback during iteration of driver storesMatthew Wild2022-01-171-1/+1
| | | | | | | | :include(other_set), :add(item)
* | mod_storage_xep0227: Fix file export (missing parameter) from refactor in ↵Matthew Wild2022-01-171-1/+1
| | | | | | | | 270047afa6af
* | mod_http: Increase severity of loading unreachable http modulesKim Alvefur2022-01-151-1/+1
| | | | | | | | | | | | | | | | This is either caused by an earlier failure to bind http/s ports, in which case that should be corrected, or explicitly disbling the http/s ports, in which case ... why enable http modules? Suggested by jonas’
* | mod_http: Skip querying portmanager when http_external_url when is setKim Alvefur2021-11-271-8/+17
| | | | | | | | | | | | | | | | When http_external_url is set then the portmanager usage only really serves as a check of whether any http service is enabled at all. Should allow generating an URL from prosodyctl when http_external_url is set.
* | util.jid: Explicitly check for nil rather than falsyKim Alvefur2022-01-152-14/+25
| | | | | | | | A boolean false should blow up.
* | mod_storage_xep0227: treat roster metadata pseudo-entry correctlyJonas Schäfer2022-01-151-1/+1
| | | | | | | | | | | | | | | | | | | | The roster version is stored in a pseudo-item which has the key `false`. The if condition in the touched code attempts to guard against this, but it does not take into account that the jid prepping returns nil instead of false. By moving the jid prepping into the if, we can check for the metadata entry safely.
* | mod_storage_xep0227: be defensive against empty vCardJonas Schäfer2022-01-151-1/+1
| | | | | | | | | | An empty vCard store may look like the empty table, which does not have the `attr` key, which would then blow up in util.stanza.deserialize.
* | mod_http: Limit unencrypted http port (5280) to loopback by defaultKim Alvefur2022-01-152-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since accessing this port directly over the wider Internet is unlikely to intentional anymore. Most uses will likely be by reverse proxies, by mistake or because of trouble configuring HTTPS. Blocking mistaken uses is just a good thing, letting users send potentially private things unencrypted tends to be Strongly Discouraged these days. Many reverse proxy setups operate over loopback, so listening there instead of all interfaces is a net improvement. Improved automatic certificate location and SNI support has mostly eliminated the need for manual certificate configuration so HTTPS should Just Work once certificates have been provided. For local testing during development, connecting over loopback is likely fine as well. When really needed, `http_interfaces` can still be set. Suggested by Link Mauve
* | mod_cron: Allow for a small amount of timer driftKim Alvefur2022-01-152-2/+2
| | | | | | | | | | | | | | | | | | If the timer activates a bit early then a task might be just a few seconds short of being allowed to run. This would run such a task rather than wait another hour. The value 0.5% chosen so that a weekly task does not run an entire hour earlier than last time.
* | mod_storage_xep0227: Fix luacheck warningsMatthew Wild2022-01-141-2/+2
| |
* | mod_storage_xep0227: Add API to iterate all stores of a userMatthew Wild2022-01-141-7/+23
| |
* | mod_storage_xep0227: Skip self-contacts on roster importMatthew Wild2022-01-141-11/+15
| |
* | util.xml: Do not allow doctypes, comments or processing instructionsJonas Schäfer2022-01-102-3/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
* | mod_http_file_share: Always measure total disk usage for statistics!Kim Alvefur2022-01-111-49/+46
| | | | | | | | | | | | | | | | | | | | | | Metrics available or not depending on configuration is weird, even tho it might be expensive to calculate and it's only really needed when there is a global quota. Default quota is set to infinity, which is essentially what it was. Reports NaN if there is an error, which should count as over the infinite default quota.
* | mod_bookmarks: Fix traceback on attempt to convert invalid bookmarkKim Alvefur2022-01-111-4/+9
| | | | | | | | | | | | | | | | Found by accidentally publishing {urn:xmpp:bookmarks:0}conference instead of :1 due to testing this earlier for the blocking. By the principle of garbage in, garbage out, just generate a bookmark from the item id / JID and carry on with a warning.
* | mod_bookmarks: Block publishing to older XEP-0402 v0.3.0 nodeKim Alvefur2022-01-101-1/+8
| | | | | | | | | | | | | | | | Having both the :0 and :1 nodes would be especially awkward, since there is no upgrade path for this case. In theory, these should be rare since no clients should have been doing XEP-0402 unless mod_bookmarks(2) was enabled. This was guesstimated to be rare with most clients doing XEP-0048 with Private XML.
* | mod_storage_xep0227: Fix writing non-user dataKim Alvefur2022-01-101-2/+3
| | | | | | | | | | | | | | Attempt to concatenate nil 'user' Not much data actually makes sense but the migrator tries to write or clear these.
* | mod_storage_xep0227: Ignore luacheck warningMatthew Wild2022-01-101-1/+1
| |
* | mod_storage_xep0227: Support for exporting nodes with no stored configurationMatthew Wild2022-01-101-0/+3
| |
* | mod_storage_xep0227: Allow overriding the input/output layer for XEP-0227 dataMatthew Wild2022-01-101-27/+49
| | | | | | | | This can (and will) be used to support in-memory import/export functions.
* | mod_bookmarks: Skip migration of legacy data when emptyKim Alvefur2022-01-101-1/+1
| | | | | | | | Should save some cycles and not log the debug message on every login.
* | mod_bookmarks: Make sure legacy bookmarks node exists to hold access modelKim Alvefur2022-01-101-19/+28
| |
* | mod_bookmarks: Broadcast notifications per XEP-0048 and XEP-0411Kim Alvefur2022-01-092-0/+43
| | | | | | | | For compatibility with clients relying on the notifications
* | util.prosodyctl.cert: Fix boolean logic bugKim Alvefur2022-01-091-1/+1
| | | | | | | | | | | | | | Boolean logic, never correct on the first try. We want to skip copying the same cert if it _has_ been imported already, not if it has not.
* | migrator: Support pubsub and pep as a special-caseKim Alvefur2022-01-092-10/+25
| | | | | | | | | | This sorta overloads the type suffix but PEP is used for enough stuff to justify this hack
* | migrator: Enhance loggingKim Alvefur2022-01-091-4/+11
| |
* | migrator: Add option to keep going despite errorsKim Alvefur2022-01-091-0/+14
| |
* | migrator: Also migrate host/non-user archive dataKim Alvefur2022-01-091-3/+2
| | | | | | | | Needed for things like mod_http_file_share
* | migrator: Refactor out individual item migrator for code deduplicationKim Alvefur2022-01-091-16/+18
| |
* | migrator: Include --options in usage infoKim Alvefur2022-01-091-1/+4
| |
* | migrator: Reuse earlier usage textKim Alvefur2022-01-091-3/+7
| |
* | migrator: Customise cli argument parsing (--help, --verbose)Kim Alvefur2022-01-091-1/+8
| | | | | | | | | | Previously -v etc would do nothing and --config without argument would not have worked correctly.
* | util.startup: Allow supplying an argument parsing settingsKim Alvefur2022-01-091-2/+2
| | | | | | | | | | | | The 'prosody' global is not global this early so there was no way to override the process type field or argument parsing settings from outside, e.g. from the migrator.