Mercurial Mercurial > prosody > prosody / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
util/session.lua
author Jonas Schäfer <jonas@wielicki.name>
Mon, 10 Jan 2022 18:23:54 +0100
branch0.11
changeset 12185 783056b4e448
parent 7184 8af558965da3
child 9951 8ebca1240203
permissions -rw-r--r--
util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
6944
33fbc835697d util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents: 6943
diff changeset 
     1
 
local initialize_filters = require "util.filters".initialize;
6942
a9ae0c6ac4f4 util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents: 6941
diff changeset 
     2
 
local logger = require "util.logger";
6940
f5d2e58fbefa util.session: What is a session?
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     3
 












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     4


local function new_session(typ)












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     5


	local session = {












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     6


		type = typ .. "_unauthed";












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     7


	};












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     8


	return session;












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     9


end












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    10









6941






9df70e9e006b
util.session: What is the identity of a session?



Kim Alvefur <zash@zash.se>


parents: 
6940

diff
changeset




    11


local function set_id(session)







7184






8af558965da3
util.session: Fix luacheck warnings



Kim Alvefur <zash@zash.se>


parents: 
6944

diff
changeset




    12


	local id = session.type .. tostring(session):match("%x+$"):lower();







6941






9df70e9e006b
util.session: What is the identity of a session?



Kim Alvefur <zash@zash.se>


parents: 
6940

diff
changeset




    13


	session.id = id;












9df70e9e006b
util.session: What is the identity of a session?



Kim Alvefur <zash@zash.se>


parents: 
6940

diff
changeset




    14


	return session;












9df70e9e006b
util.session: What is the identity of a session?



Kim Alvefur <zash@zash.se>


parents: 
6940

diff
changeset




    15


end












9df70e9e006b
util.session: What is the identity of a session?



Kim Alvefur <zash@zash.se>


parents: 
6940

diff
changeset




    16









6942






a9ae0c6ac4f4
util.session: What does the session say?



Kim Alvefur <zash@zash.se>


parents: 
6941

diff
changeset




    17


local function set_logger(session)







7184






8af558965da3
util.session: Fix luacheck warnings



Kim Alvefur <zash@zash.se>


parents: 
6944

diff
changeset




    18


	local log = logger.init(session.id);







6942






a9ae0c6ac4f4
util.session: What does the session say?



Kim Alvefur <zash@zash.se>


parents: 
6941

diff
changeset




    19


	session.log = log;












a9ae0c6ac4f4
util.session: What does the session say?



Kim Alvefur <zash@zash.se>


parents: 
6941

diff
changeset




    20


	return session;












a9ae0c6ac4f4
util.session: What does the session say?



Kim Alvefur <zash@zash.se>


parents: 
6941

diff
changeset




    21


end












a9ae0c6ac4f4
util.session: What does the session say?



Kim Alvefur <zash@zash.se>


parents: 
6941

diff
changeset




    22









6943






2be5e19485aa
util.session: How does a session relate do a connection?



Kim Alvefur <zash@zash.se>


parents: 
6942

diff
changeset




    23


local function set_conn(session, conn)












2be5e19485aa
util.session: How does a session relate do a connection?



Kim Alvefur <zash@zash.se>


parents: 
6942

diff
changeset




    24


	session.conn = conn;












2be5e19485aa
util.session: How does a session relate do a connection?



Kim Alvefur <zash@zash.se>


parents: 
6942

diff
changeset




    25


	session.ip = conn:ip();












2be5e19485aa
util.session: How does a session relate do a connection?



Kim Alvefur <zash@zash.se>


parents: 
6942

diff
changeset




    26


	return session;












2be5e19485aa
util.session: How does a session relate do a connection?



Kim Alvefur <zash@zash.se>


parents: 
6942

diff
changeset




    27


end












2be5e19485aa
util.session: How does a session relate do a connection?



Kim Alvefur <zash@zash.se>


parents: 
6942

diff
changeset




    28









6944






33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    29


local function set_send(session)












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    30


	local conn = session.conn;












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    31


	if not conn then












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    32


		function session.send(data)







7184






8af558965da3
util.session: Fix luacheck warnings



Kim Alvefur <zash@zash.se>


parents: 
6944

diff
changeset




    33


			session.log("debug", "Discarding data sent to unconnected session: %s", tostring(data));







6944






33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    34


			return false;












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    35


		end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    36


		return session;












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    37


	end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    38


	local filter = initialize_filters(session);












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    39


	local w = conn.write;












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    40


	session.send = function (t)












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    41


		if t.name then












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    42


			t = filter("stanzas/out", t);












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    43


		end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    44


		if t then












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    45


			t = filter("bytes/out", tostring(t));












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    46


			if t then












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    47


				local ret, err = w(conn, t);












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    48


				if not ret then












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    49


					session.log("debug", "Error writing to connection: %s", tostring(err));












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    50


					return false, err;












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    51


				end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    52


			end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    53


		end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    54


		return true;












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    55


	end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    56


	return session;












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    57


end












33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    58









6940






f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    59


return {












f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    60


	new = new_session;







6941






9df70e9e006b
util.session: What is the identity of a session?



Kim Alvefur <zash@zash.se>


parents: 
6940

diff
changeset




    61


	set_id = set_id;







6942






a9ae0c6ac4f4
util.session: What does the session say?



Kim Alvefur <zash@zash.se>


parents: 
6941

diff
changeset




    62


	set_logger = set_logger;







6943






2be5e19485aa
util.session: How does a session relate do a connection?



Kim Alvefur <zash@zash.se>


parents: 
6942

diff
changeset




    63


	set_conn = set_conn;







6944






33fbc835697d
util.session: How would you even send anything to a session?



Kim Alvefur <zash@zash.se>


parents: 
6943

diff
changeset




    64


	set_send = set_send;







6940






f5d2e58fbefa
util.session: What is a session?



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    65


}














prosody