comparison plugins/mod_c2s.lua @ 14122:8a4417d32b0f 13.0

mod_c2s,mod_s2s: Introduce separate pre-authentication stanza size limit This should prevent unauthenticated resource use via the XML parser.
author Kim Alvefur <zash@zash.se>
date Tue, 07 Apr 2026 20:35:41 +0200
parents 667a58e74fd9
children 863da67a4b51
comparison
equal deleted inserted replaced
14120:0e9e3efa381f 14122:8a4417d32b0f
26 local log = module._log; 26 local log = module._log;
27 27
28 local c2s_timeout = module:get_option_period("c2s_timeout", "5 minutes"); 28 local c2s_timeout = module:get_option_period("c2s_timeout", "5 minutes");
29 local stream_close_timeout = module:get_option_period("c2s_close_timeout", 5); 29 local stream_close_timeout = module:get_option_period("c2s_close_timeout", 5);
30 local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); 30 local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true));
31 local stanza_size_limit = module:get_option_integer("c2s_stanza_size_limit", 1024*256,10000); 31 local unauthed_stanza_size_limit = module:get_option_integer("c2s_unauthed_stanza_size_limit", 10000,1000);
32 local authed_stanza_size_limit = module:get_option_integer("c2s_stanza_size_limit", 1024*256,10000);
32 33
33 local advertised_idle_timeout = 14*60; -- default in all net.server implementations 34 local advertised_idle_timeout = 14*60; -- default in all net.server implementations
34 local network_settings = module:get_option("network_settings"); 35 local network_settings = module:get_option("network_settings");
35 if type(network_settings) == "table" and type(network_settings.read_timeout) == "number" then 36 if type(network_settings) == "table" and type(network_settings.read_timeout) == "number" then
36 advertised_idle_timeout = network_settings.read_timeout; 37 advertised_idle_timeout = network_settings.read_timeout;
135 end 136 end
136 137
137 local features = st.stanza("stream:features"); 138 local features = st.stanza("stream:features");
138 hosts[session.host].events.fire_event("stream-features", { origin = session, features = features, stream = attr }); 139 hosts[session.host].events.fire_event("stream-features", { origin = session, features = features, stream = attr });
139 if features.tags[1] or session.full_jid then 140 if features.tags[1] or session.full_jid then
140 if stanza_size_limit or advertised_idle_timeout then 141 if session.stanza_size_limit or advertised_idle_timeout then
141 features:reset(); 142 features:reset();
142 local limits = features:tag("limits", { xmlns = "urn:xmpp:stream-limits:0" }); 143 local limits = features:tag("limits", { xmlns = "urn:xmpp:stream-limits:0" });
143 if stanza_size_limit then 144 if session.stanza_size_limit then
144 limits:text_tag("max-bytes", string.format("%d", stanza_size_limit)); 145 limits:text_tag("max-bytes", string.format("%d", session.stanza_size_limit));
145 end 146 end
146 if advertised_idle_timeout then 147 if advertised_idle_timeout then
147 limits:text_tag("idle-seconds", string.format("%d", advertised_idle_timeout)); 148 limits:text_tag("idle-seconds", string.format("%d", advertised_idle_timeout));
148 end 149 end
149 limits:reset(); 150 limits:reset();
350 conn:setoption("keepalive", opt_keepalives); 351 conn:setoption("keepalive", opt_keepalives);
351 end 352 end
352 353
353 session.close = session_close; 354 session.close = session_close;
354 355
355 local stream = new_xmpp_stream(session, stream_callbacks, stanza_size_limit); 356 session.stanza_size_limit = unauthed_stanza_size_limit;
357
358 local stream = new_xmpp_stream(session, stream_callbacks, session.stanza_size_limit);
356 session.stream = stream; 359 session.stream = stream;
357 session.notopen = true; 360 session.notopen = true;
358 361
359 function session.reset_stream() 362 function session.reset_stream()
360 session.notopen = true; 363 session.notopen = true;
458 sessions[conn] = session; 461 sessions[conn] = session;
459 end 462 end
460 463
461 function module.add_host(module) 464 function module.add_host(module)
462 module:hook("c2s-read-timeout", keepalive, -1); 465 module:hook("c2s-read-timeout", keepalive, -1);
466 module:hook("authentication-success", function(event)
467 local session = event.session;
468 if session.stream then
469 session.stanza_size_limit = authed_stanza_size_limit;
470 session.stream:set_stanza_size_limit(session.stanza_size_limit);
471 end
472 end);
463 end 473 end
464 474
465 module:hook("c2s-read-timeout", keepalive, -1); 475 module:hook("c2s-read-timeout", keepalive, -1);
466 476
467 module:hook("server-stopping", function(event) -- luacheck: ignore 212/event 477 module:hook("server-stopping", function(event) -- luacheck: ignore 212/event