util.xml: Break reference to help the GC (fix #1711)
LuaExpat uses a registry reference to track handlers, which makes
it so that an upvalue like this creates a reference loop that keeps the
parser and its handlers from being garbage collected. The same issue has
affected util.xmppstream in the past.
Code for checking:
local xml_parse = require"util.xml".parse;
for i = 1, 10000 do xml_parse("<root/>") end
collectgarbage(); collectgarbage();
print(collectgarbage("count"), "KiB");
A future release of LuaExpat may fix the underlying issue there.
--- a/util/xml.lua Thu Jan 13 12:18:49 2022 +0000
+++ b/util/xml.lua Thu Jan 20 09:57:20 2022 +0100
@@ -65,27 +65,26 @@
function handler:EndElement()
stanza:up();
end
- local parser;
-- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs.
function handler:StartDoctypeDecl()
- if not parser.stop or not parser:stop() then
+ if not self.stop or not self:stop() then
error("Failed to abort parsing");
end
end
function handler:ProcessingInstruction()
- if not parser.stop or not parser:stop() then
+ if not self.stop or not self:stop() then
error("Failed to abort parsing");
end
end
if not options or not options.allow_comments then
-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
function handler:Comment()
- if not parser.stop or not parser:stop() then
+ if not self.stop or not self:stop() then
error("Failed to abort parsing");
end
end
end
- parser = lxp.new(handler, ns_separator);
+ local parser = lxp.new(handler, ns_separator);
local ok, err, line, col = parser:parse(xml);
if ok then ok, err, line, col = parser:parse(); end
--parser:close();