util.xmppstream: Reject XML comments, processing instructions and (if supported by...

diff --git a/util/xmppstream.lua b/util/xmppstream.lua
index a13e9d3268e87a8ab3ff58754c87c262510bb028..f92c5ffa29a26b2706ab8b6e083d026bb7475555 100644 (file)
--- a/util/xmppstream.lua
+++ b/util/xmppstream.lua
@@ -19,6 +19,16 @@ local setmetatable = setmetatable;
 
 local default_log = require "util.logger".init("xmppstream");
 
+-- COMPAT: w/LuaExpat 1.1.0
+local lxp_supports_doctype = pcall(lxp.new, { StartDoctypeDecl = false });
+
+if not lxp_supports_doctype then
+       default_log("warn", "The version of LuaExpat on your system leaves Prosody "
+               .."vulnerable to denial-of-service attacks. You should upgrade to "
+               .."LuaExpat 1.1.1 or higher as soon as possible. See "
+               .."http://prosody.im/doc/depends#luaexpat for more information.");
+end
+
 local error = error;
 
 module "xmppstream"
@@ -158,6 +168,17 @@ function new_sax_handlers(session, stream_callbacks)
                end
        end
        
+       local function restricted_handler()
+               cb_error(session, "parse-error", "restricted-xml", "Restricted XML, see RFC 6120 section 11.1.");
+       end
+       
+       if lxp_supports_doctype then
+               xml_handlers.StartDoctypeDecl = restricted_handler;
+       end
+       xml_handlers.Comment = restricted_handler;
+       xml_handlers.StartCdataSection = restricted_handler;
+       xml_handlers.ProcessingInstruction = restricted_handler;
+       
        local function reset()
                stanza, chardata = nil, {};
                stack = {};