X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=util%2Fxmppstream.lua;h=e5271b7242a91a76024b68027c769cab9dabc949;hb=0d3a399b188ac9981f47256bc500007fdcb2bf27;hp=a13e9d3268e87a8ab3ff58754c87c262510bb028;hpb=83b669b80dc14c47edae26a1f0e180565ee1f203;p=prosody.git

diff --git a/util/xmppstream.lua b/util/xmppstream.lua
index a13e9d32..e5271b72 100644
--- a/util/xmppstream.lua
+++ b/util/xmppstream.lua
@@ -19,6 +19,16 @@ local setmetatable = setmetatable;
 
 local default_log = require "util.logger".init("xmppstream");
 
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+
+if not lxp_supports_doctype then
+	default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+		.."vulnerable to denial-of-service attacks. You should upgrade to "
+		.."LuaExpat 1.1.1 or higher as soon as possible. See "
+		.."http://prosody.im/doc/depends#luaexpat for more information.");
+end
+
 local error = error;
 
 module "xmppstream"
@@ -157,6 +167,19 @@ function new_sax_handlers(session, stream_callbacks)
 			stack = {};
 		end
 	end
+
+	local function restricted_handler(parser)
+		cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+		if not parser.stop or not parser:stop() then
+			error("Failed to abort parsing");
+		end
+	end
+	
+	if lxp_supports_doctype then
+		xml_handlers.StartDoctypeDecl = restricted_handler;
+	end
+	xml_handlers.Comment = restricted_handler;
+	xml_handlers.ProcessingInstruction = restricted_handler;
 	
 	local function reset()
 		stanza, chardata = nil, {};