Mercurial Mercurial > prosody > prosody / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
doc/storage.tld
author Jonas Schäfer <jonas@wielicki.name>
Mon, 10 Jan 2022 18:23:54 +0100
branch0.11
changeset 12185 783056b4e448
parent 7747 4d9186d990a5
child 9907 2c5546cc5c70
permissions -rw-r--r--
util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.

-- Storage Interface API Description
--
-- This is written as a TypedLua description

-- Key-Value stores (the default)

interface keyval_store
	get : ( self, string? ) -> (any) | (nil, string)
	set : ( self, string?, any ) -> (boolean) | (nil, string)
end

-- Map stores (key-key-value stores)

interface map_store
	get : ( self, string?, any ) -> (any) | (nil, string)
	set : ( self, string?, any, any ) -> (boolean) | (nil, string)
	set_keys : ( self, string?, { any : any }) -> (boolean) | (nil, string)
	remove : {}
end

-- Archive stores

typealias archive_query = {
	"start"  : number?, -- timestamp
	"end"    : number?, -- timestamp
	"with"   : string?,
	"after"  : string?, -- archive id
	"before" : string?, -- archive id
	"total"  : boolean?,
}

interface archive_store
	-- Optional set of capabilities
	caps   : {
		-- Optional total count of matching items returned as second return value from :find()
		"total" : boolean?,
	}?

	-- Add to the archive
	append : ( self, string?, string?, any, number?, string? ) -> (string) | (nil, string)

	-- Iterate over archive
	find   : ( self, string?, archive_query? ) -> ( () -> ( string, any, number?, string? ), integer? )

	-- Removal of items. API like find. Optional?
	delete : ( self, string?, archive_query? ) -> (boolean) | (number) | (nil, string)

	-- Array of dates which do have messages (Optional?)
	dates  : ( self, string? ) -> ({ string }) | (nil, string)
end

-- This represents moduleapi
interface module
	-- If the first string is omitted then the name of the module is used
	-- The second string is one of "keyval" (default), "map" or "archive"
	open_store : (self, string?, string?) -> (keyval_store) | (map_store) | (archive_store) | (nil, string)

	-- Other module methods omitted
end

module : module
prosody