man/prosodyctl: Normalize formatting syntax Filtered trough pandoc

util.dns: Minor updates of SVCB parser Now based on draft-ietf-dnsop-svcb-https-08

util.dns: Implement SVCB record parser Based on draft-ietf-dnsop-svcb-https-00

util.dns: Fix returning read position after zero-length name Doesn't affect normal usage by Prosody since neither A nor AAAA records use this and SRV records has the host name last so the position is not needed.

util.dnsregistry: Regenerate from IANA registry Note the duplicate 9 and 16 entries, neither of which are especially relevant for our resolver usage.

tools.dnsregistry: For converting IANA DNS registry data to Lua table

util.dns: Move DNS parameters details into util.dnsregistry Goal is to regenerate this file from the IANA registry using a tool. Having it in a separate file will reduce vcs noise in util.dns

doap: Make note of mod_mam storing XEP-0184 receipts

plugins: Update for namespace bump in XEP-0353 v0.4.0

util.prosodyctl.check: Fix reset of libunbound before DNS checks Probably worked anyway but settings might not always have been applied depending on what order things happens in. Error was hidden by the pcall, which was sorta intentional...

doap: Let's say XEP-0368 support is complete now We break the SHOULD about the merged _xmpp and _xmpps SRV handling, but we follow all the MUSTs

util.prosodyctl.check: Fix A/AAAA check for proxy65 and http When there are no records to return the return value from dns.lookup() might be nil or might be a table containing zero records, depending on which DNS library is used

util.prosodyctl.check: Include multiplexed ports in DNS checks #1704

mod_admin_shell: Add descriptions of each column to 'help columns' Since some of the titles are quite dense

mod_admin_shell: Use exact match instead of Lua patterns in c2s,s2s:show It is unexpected that 'example.com' matches 'exampleicom.org' and this use of Lua patterns is undocumented and unlikely to be widely known or used.

mod_http_file_share: Use alternate syntax for filename in Content-Disposition The Lua string.format %q doesn't behave correctly for all characters that should be escaped in a quoted-string. And who knows what effects higher Unicode might have here. Applying percent-encoding of filenames seems like the safest way to deal with filenames, as well as being easier than implementing the actual quoted-string transform, which seems complicated and I'm not even sure it covers every possible character. Filenames can safely be assumed to be UTF-8 since they are passed in an attribute in the query without any escaping.

mod_admin_shell: Fix traceback on rendering graph of stats without extra labels Stops an error when extra_labels is nil since it attempts to index it Unsure about correctness

mod_admin_shell: Add help section about stats

mod_admin_shell: Add help section about customizing table columns

README: Reflow text to ~78 columns It's what `gwl` in my vim did. Must be optimal then.

INSTALL: Update from site version

util.format: Expand explanation of purpose in comments

util.format: Skip control code escaping when doing full serialization Fixes that a multi-line string ended up "like\ \9this" instead of "like\nthis" as can be demonstrated by somehow initiating a connection to a HTTP server.

util.prosodyctl.cert: Look for certs matching 'http_host' This should ensure any certificate needed for HTTP services will also be included in the certificate import.

util.prosodyctl.check: Fix use of LuaSocket URL parser

util.prosodyctl.check: Add HTTP related DNS checks Since XEP-0363 is essentially mandatory now this will hopefully help diagnose some common issues.

util.prosodyctl.cert: Look for certificates in a consistent order Shortest first, then alphabetically, so that it prefers the base domain over subdomains. Fixes that it might otherwise pick a random sub-domain for filename on each run, cluttering the certs directory and potentially tricking Prosody into using an older certificate that might be about to expire.

mod_pubsub: Allow configuring summary templates Enables generation of summaries for more than Atom without additional modules.

mod_pubsub: Use the util.xtemplate to render Atom summary

util.xtemplate: Yet another string template library This one takes a stanza as input Roughly based on util.interpolation

mod_pubsub: Use the 'pubsub#type' setting to pick summary generator Allows using different ones even if multiple semantically different formats share the same root element xmlns, e.g. generic Atom and XEP-0277 entries.

mod_tls: Set ALPN on outgoing connections Relevant and sometimes needed for Direct TLS which mod_s2s uses this context for. Primarily when e.g. mod_net_multiplex or equivalent ALPN based dispatch is used. All these contexts should likely move away from mod_tls and into either mod_s2s or portmanager. The later already duplicates some of this work.

Added tag 0.11.13 for changeset ebeb4d959fb3

mod_admin_shell: Add command to show current user roles

mod_admin_shell: Add help section about roles As in the argument to user:create() and user:roles() Tricky to come up with something sensible to write when Prosody core only knows of the 'prosody:admin' role so far.

mod_s2s: Retrieve TLS context for outgoing Direct TLS connections from mod_tls So that the same TLS context is used for both Direct TLS and starttls, since they are supposed to be functionally identical apart from the few extra round trips. A new event is added because the 's2s-created' event fires much later, after a connection has already been established, where we need the TLS context before that.

mod_s2s: Enable outgoing Direct TLS connections Makes it faster by cutting out the roundtrips involved in <starttls/>, at the cost of making an additional SRV lookup. Since we already ignore a missing <starttls/> offer and try anyway there is not much difference in security. The fact that XMPP is used and the hostnames involved might still be visible until the future Encrypted ClientHello extension allows hiding those too.

net.connect: Allow passing TLS context from resolver Only allowing it to be passed directly makes it hard to combine plain (i.e. starttls) and Direct TLS connections in the same connection resolution procedure. But now we can, using chained resolvers!

net.resolvers.chain: A resolver for combining other resolvers Say if you wanted to try both _xmpp and _xmpps services

Merge 0.11->trunk

util.xml: Deduplicate handlers for restricted XML Makes the code more like util.xmppstream, allowing easier comparisons if we ever need to apply fixes in the future.

util.xml: Break reference to help the GC (fix #1711) LuaExpat uses a registry reference to track handlers, which makes it so that an upvalue like this creates a reference loop that keeps the parser and its handlers from being garbage collected. The same issue has affected util.xmppstream in the past. Code for checking: local xml_parse = require"util.xml".parse; for i = 1, 10000 do xml_parse("<root/>") end collectgarbage(); collectgarbage(); print(collectgarbage("count"), "KiB"); A future release of LuaExpat may fix the underlying issue there.

util.prosodyctl.cert: Check success of copy operations, warn on fail Debugging a case where certs are not imported correctly but prosodyctl still reports success. Hoping this will shed some light on it.

util.prosodyctl.cert: Pass variables via formatting instead of concatenation Prevents potential weirdness in case there's any %s or such in a host, file or directory name, since show_warning() is printf().

tools/xep227toprosody: Remove obsolete tool in favor of storage driver This tool hasn't been updated for recent XEP-0227 changes, hasn't seen many changes at all since its introduction and I don't remember anyone mentioning ever using it. Using mod_storage_xmlarchive and the migrator or the 3rd party mod_migrate tool should work better these days and should be the way forward.

core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation Confusion! Thanks Martin

core.certmanager: Apply TLS preset before global settings (thanks Menel) Allows overriding settings via the global 'ssl' settings as before. This order was probably accidental. That said, 'ssl' is a giant footgun we will want to discourage use of.

mod_storage_xep0227: Fix luacheck warning

mod_storage_xep0227: Fix traceback during iteration of driver stores :include(other_set), :add(item)

mod_storage_xep0227: Fix file export (missing parameter) from refactor in 270047afa6af

mod_http: Increase severity of loading unreachable http modules This is either caused by an earlier failure to bind http/s ports, in which case that should be corrected, or explicitly disbling the http/s ports, in which case ... why enable http modules? Suggested by jonas’

mod_http: Skip querying portmanager when http_external_url when is set When http_external_url is set then the portmanager usage only really serves as a check of whether any http service is enabled at all. Should allow generating an URL from prosodyctl when http_external_url is set.

util.jid: Explicitly check for nil rather than falsy A boolean false should blow up.

mod_storage_xep0227: treat roster metadata pseudo-entry correctly The roster version is stored in a pseudo-item which has the key `false`. The if condition in the touched code attempts to guard against this, but it does not take into account that the jid prepping returns nil instead of false. By moving the jid prepping into the if, we can check for the metadata entry safely.

mod_storage_xep0227: be defensive against empty vCard An empty vCard store may look like the empty table, which does not have the `attr` key, which would then blow up in util.stanza.deserialize.

mod_http: Limit unencrypted http port (5280) to loopback by default Since accessing this port directly over the wider Internet is unlikely to intentional anymore. Most uses will likely be by reverse proxies, by mistake or because of trouble configuring HTTPS. Blocking mistaken uses is just a good thing, letting users send potentially private things unencrypted tends to be Strongly Discouraged these days. Many reverse proxy setups operate over loopback, so listening there instead of all interfaces is a net improvement. Improved automatic certificate location and SNI support has mostly eliminated the need for manual certificate configuration so HTTPS should Just Work once certificates have been provided. For local testing during development, connecting over loopback is likely fine as well. When really needed, `http_interfaces` can still be set. Suggested by Link Mauve

mod_cron: Allow for a small amount of timer drift If the timer activates a bit early then a task might be just a few seconds short of being allowed to run. This would run such a task rather than wait another hour. The value 0.5% chosen so that a weekly task does not run an entire hour earlier than last time.

mod_storage_xep0227: Fix luacheck warnings

mod_storage_xep0227: Add API to iterate all stores of a user

mod_storage_xep0227: Skip self-contacts on roster import