util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
-- luacheck: ignore 212
local log = require "util.logger".init("auth_cyrus");
local usermanager_user_exists = require "core.usermanager".user_exists;
local cyrus_service_realm = module:get_option("cyrus_service_realm");
local cyrus_service_name = module:get_option("cyrus_service_name");
local cyrus_application_name = module:get_option("cyrus_application_name");
local require_provisioning = module:get_option("cyrus_require_provisioning") or false;
local host_fqdn = module:get_option("cyrus_server_fqdn");
prosody.unlock_globals(); --FIXME: Figure out why this is needed and
-- why cyrussasl isn't caught by the sandbox
local cyrus_new = require "util.sasl_cyrus".new;
prosody.lock_globals();
local new_sasl = function(realm)
return cyrus_new(
cyrus_service_realm or realm,
cyrus_service_name or "xmpp",
cyrus_application_name or "prosody",
host_fqdn
);
end
do -- diagnostic
local list;
for mechanism in pairs(new_sasl(module.host):mechanisms()) do
list = (not(list) and mechanism) or (list..", "..mechanism);
end
if not list then
module:log("error", "No Cyrus SASL mechanisms available");
else
module:log("debug", "Available Cyrus SASL mechanisms: %s", list);
end
end
local host = module.host;
-- define auth provider
local provider = {};
log("debug", "initializing default authentication provider for host '%s'", host);
function provider.test_password(username, password)
return nil, "Legacy auth not supported with Cyrus SASL.";
end
function provider.get_password(username)
return nil, "Passwords unavailable for Cyrus SASL.";
end
function provider.set_password(username, password)
return nil, "Passwords unavailable for Cyrus SASL.";
end
function provider.user_exists(username)
if require_provisioning then
return usermanager_user_exists(username, host);
end
return true;
end
function provider.create_user(username, password)
return nil, "Account creation/modification not available with Cyrus SASL.";
end
function provider.get_sasl_handler()
local handler = new_sasl(host);
if require_provisioning then
function handler.require_provisioning(username)
return usermanager_user_exists(username, host);
end
end
return handler;
end
module:provides("auth", provider);