util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
# Prosody IM Server
## Description
Prosody is a server for Jabber/XMPP written in Lua. It aims to be easy
to use and light on resources. For developers, it aims to give a
flexible system on which to rapidly develop added functionality or
rapidly prototype new protocols.
## Useful links
Homepage: https://prosody.im/
Download: https://prosody.im/download
Documentation: https://prosody.im/doc/
Jabber/XMPP Chat:
Address:
prosody@conference.prosody.im
Web interface:
https://prosody.im/webchat
Mailing lists:
User support and discussion:
https://groups.google.com/group/prosody-users
Development discussion:
https://groups.google.com/group/prosody-dev
Issue tracker changes:
https://groups.google.com/group/prosody-issues
## Installation
See the accompanying INSTALL file for help on building Prosody from source. Alternatively
see our guide at https://prosody.im/doc/install