From 8328e6681e7a999c59be05c9e08158a0cf9f95d0 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 11 Nov 2020 16:00:41 +0100
Subject: util.stanza: Reject ASCII control characters (fixes #1606)

---
 spec/util_stanza_spec.lua |  1 +
 util/stanza.lua           | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/spec/util_stanza_spec.lua b/spec/util_stanza_spec.lua
index 6fbae41a..da29f890 100644
--- a/spec/util_stanza_spec.lua
+++ b/spec/util_stanza_spec.lua
@@ -200,6 +200,7 @@ describe("util.stanza", function()
 			["number"] = 1234, ["table"] = {};
 			["utf8"] = string.char(0xF4, 0x90, 0x80, 0x80);
 			["nil"] = "nil"; ["boolean"] = true;
+			["control characters"] = "\0\1\2\3";
 		};
 
 		for value_type, value in pairs(invalid_names) do
diff --git a/util/stanza.lua b/util/stanza.lua
index a90d56b3..cf2818ec 100644
--- a/util/stanza.lua
+++ b/util/stanza.lua
@@ -45,6 +45,10 @@ local _ENV = nil;
 local stanza_mt = { __name = "stanza" };
 stanza_mt.__index = stanza_mt;
 
+local function valid_xml_cdata(str, attr)
+	return not s_find(str, attr and "[^\1\9\10\13\20-~\128-\247]" or "[^\9\10\13\20-~\128-\247]");
+end
+
 local function check_name(name, name_type)
 	if type(name) ~= "string" then
 		error("invalid "..name_type.." name: expected string, got "..type(name));
@@ -52,6 +56,8 @@ local function check_name(name, name_type)
 		error("invalid "..name_type.." name: empty string");
 	elseif s_find(name, "[<>& '\"]") then
 		error("invalid "..name_type.." name: contains invalid characters");
+	elseif not valid_xml_cdata(name, name_type == "attribute") then
+		error("invalid "..name_type.." name: contains control characters");
 	elseif not valid_utf8(name) then
 		error("invalid "..name_type.." name: contains invalid utf8");
 	end
@@ -60,7 +66,9 @@ end
 local function check_text(text, text_type)
 	if type(text) ~= "string" then
 		error("invalid "..text_type.." value: expected string, got "..type(text));
-	elseif not valid_utf8(text) then
+	elseif not valid_xml_cdata(text) then
+		error("invalid "..text_type.." value: contains control characters");
+	elseif not valid_utf8(text, false) then
 		error("invalid "..text_type.." value: contains invalid utf8");
 	end
 end
-- 
cgit v1.2.3