Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge 0.6->0.7
authorMatthew Wild <mwild1@gmail.com>
Wed, 01 Jun 2011 23:25:24 +0100
changeset 4277 683523db4fe8
parent 3399 3976bad56640 (current diff)
parent 4276 a37522bf6b1b (diff)
child 4278 67ce42aa7419
child 4281 5a0144a032d8
Merge 0.6->0.7
core/xmlhandlers.lua file | annotate | diff | comparison | revisions 
--- a/core/xmlhandlers.lua	Fri Jul 23 09:17:11 2010 +0100
+++ b/core/xmlhandlers.lua	Wed Jun 01 23:25:24 2011 +0100
@@ -17,6 +17,16 @@
 
 local default_log = require "util.logger".init("xmlhandlers");
 
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+
+if not lxp_supports_doctype then
+	default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+		.."vulnerable to denial-of-service attacks. You should upgrade to "
+		.."LuaExpat 1.1.1 or higher as soon as possible. See "
+		.."http://prosody.im/doc/depends#luaexpat for more information.");
+end
+
 local error = error;
 
 module "xmlhandlers"
@@ -139,6 +149,18 @@
 			stanza, chardata = nil, {};
 		end
 	end
+
+	local function restricted_handler()
+		cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+	end
+
+	if lxp_supports_doctype then
+		xml_handlers.StartDoctypeDecl = restricted_handler;
+	end
+	xml_handlers.Comment = restricted_handler;
+	xml_handlers.StartCdataSection = restricted_handler;
+	xml_handlers.ProcessingInstruction = restricted_handler;
+
 	return xml_handlers;
 end
prosody