--- a/.hgtags Wed Jan 19 10:28:09 2022 +0100
+++ b/.hgtags Thu Jan 20 13:02:24 2022 +0100
@@ -79,3 +79,4 @@
d0e9ffccdef934af554ea2d4a5beb9a52e9e951d 0.11.9
d117b92fd8e459170a98a8dece7f3930f4b6aed7 0.11.10
76b4e3f12b53fedae96402d87fa9ee79e704ce5e 0.11.11
+783056b4e4480389d0e27883289b1bfef57e4729 0.11.12
--- a/util/xml.lua Wed Jan 19 10:28:09 2022 +0100
+++ b/util/xml.lua Thu Jan 20 13:02:24 2022 +0100
@@ -65,27 +65,19 @@
function handler:EndElement()
stanza:up();
end
- local parser;
-- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs.
- function handler:StartDoctypeDecl()
+ local function restricted_handler(parser)
if not parser.stop or not parser:stop() then
error("Failed to abort parsing");
end
end
- function handler:ProcessingInstruction()
- if not parser.stop or not parser:stop() then
- error("Failed to abort parsing");
- end
- end
+ handler.StartDoctypeDecl = restricted_handler;
+ handler.ProcessingInstruction = restricted_handler;
if not options or not options.allow_comments then
-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
- function handler:Comment()
- if not parser.stop or not parser:stop() then
- error("Failed to abort parsing");
- end
- end
+ handler.Comment = restricted_handler;
end
- parser = lxp.new(handler, ns_separator);
+ local parser = lxp.new(handler, ns_separator);
local ok, err, line, col = parser:parse(xml);
if ok then ok, err, line, col = parser:parse(); end
--parser:close();