Jonas Schäfer <jonas@wielicki.name> [Mon, 10 Jan 2022 18:23:54 +0100] rev 12185
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
Jonas Schäfer <jonas@wielicki.name> [Mon, 10 Jan 2022 18:23:54 +0100] rev 12184
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
Kim Alvefur <zash@zash.se> [Tue, 11 Jan 2022 04:15:29 +0100] rev 12183
mod_http_file_share: Always measure total disk usage for statistics!
Metrics available or not depending on configuration is weird, even tho
it might be expensive to calculate and it's only really needed when
there is a global quota.
Default quota is set to infinity, which is essentially what it was.
Reports NaN if there is an error, which should count as over the
infinite default quota.
Kim Alvefur <zash@zash.se> [Tue, 11 Jan 2022 00:06:48 +0100] rev 12182
mod_bookmarks: Fix traceback on attempt to convert invalid bookmark
Found by accidentally publishing {urn:xmpp:bookmarks:0}conference
instead of :1 due to testing this earlier for the blocking.
By the principle of garbage in, garbage out, just generate a bookmark
from the item id / JID and carry on with a warning.
Kim Alvefur <zash@zash.se> [Mon, 10 Jan 2022 22:15:55 +0100] rev 12181
mod_bookmarks: Block publishing to older XEP-0402 v0.3.0 node
Having both the :0 and :1 nodes would be especially awkward, since there
is no upgrade path for this case. In theory, these should be rare since
no clients should have been doing XEP-0402 unless mod_bookmarks(2) was
enabled. This was guesstimated to be rare with most clients doing
XEP-0048 with Private XML.
Kim Alvefur <zash@zash.se> [Mon, 10 Jan 2022 16:53:58 +0100] rev 12180
mod_storage_xep0227: Fix writing non-user data
Attempt to concatenate nil 'user'
Not much data actually makes sense but the migrator tries to write or
clear these.
Matthew Wild <mwild1@gmail.com> [Mon, 10 Jan 2022 15:50:55 +0000] rev 12179
mod_storage_xep0227: Ignore luacheck warning
Matthew Wild <mwild1@gmail.com> [Mon, 10 Jan 2022 15:48:45 +0000] rev 12178
mod_storage_xep0227: Support for exporting nodes with no stored configuration
Matthew Wild <mwild1@gmail.com> [Mon, 10 Jan 2022 15:47:59 +0000] rev 12177
mod_storage_xep0227: Allow overriding the input/output layer for XEP-0227 data
This can (and will) be used to support in-memory import/export functions.
Kim Alvefur <zash@zash.se> [Mon, 10 Jan 2022 00:13:17 +0100] rev 12176
mod_bookmarks: Skip migration of legacy data when empty
Should save some cycles and not log the debug message on every login.