Mercurial > prosody-hg
comparison plugins/mod_c2s.lua @ 14122:8a4417d32b0f 13.0
mod_c2s,mod_s2s: Introduce separate pre-authentication stanza size limit
This should prevent unauthenticated resource use via the XML parser.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 07 Apr 2026 20:35:41 +0200 |
| parents | 667a58e74fd9 |
| children | 863da67a4b51 |
comparison
equal
deleted
inserted
replaced
| 14120:0e9e3efa381f | 14122:8a4417d32b0f |
|---|---|
| 26 local log = module._log; | 26 local log = module._log; |
| 27 | 27 |
| 28 local c2s_timeout = module:get_option_period("c2s_timeout", "5 minutes"); | 28 local c2s_timeout = module:get_option_period("c2s_timeout", "5 minutes"); |
| 29 local stream_close_timeout = module:get_option_period("c2s_close_timeout", 5); | 29 local stream_close_timeout = module:get_option_period("c2s_close_timeout", 5); |
| 30 local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); | 30 local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); |
| 31 local stanza_size_limit = module:get_option_integer("c2s_stanza_size_limit", 1024*256,10000); | 31 local unauthed_stanza_size_limit = module:get_option_integer("c2s_unauthed_stanza_size_limit", 10000,1000); |
| 32 local authed_stanza_size_limit = module:get_option_integer("c2s_stanza_size_limit", 1024*256,10000); | |
| 32 | 33 |
| 33 local advertised_idle_timeout = 14*60; -- default in all net.server implementations | 34 local advertised_idle_timeout = 14*60; -- default in all net.server implementations |
| 34 local network_settings = module:get_option("network_settings"); | 35 local network_settings = module:get_option("network_settings"); |
| 35 if type(network_settings) == "table" and type(network_settings.read_timeout) == "number" then | 36 if type(network_settings) == "table" and type(network_settings.read_timeout) == "number" then |
| 36 advertised_idle_timeout = network_settings.read_timeout; | 37 advertised_idle_timeout = network_settings.read_timeout; |
| 135 end | 136 end |
| 136 | 137 |
| 137 local features = st.stanza("stream:features"); | 138 local features = st.stanza("stream:features"); |
| 138 hosts[session.host].events.fire_event("stream-features", { origin = session, features = features, stream = attr }); | 139 hosts[session.host].events.fire_event("stream-features", { origin = session, features = features, stream = attr }); |
| 139 if features.tags[1] or session.full_jid then | 140 if features.tags[1] or session.full_jid then |
| 140 if stanza_size_limit or advertised_idle_timeout then | 141 if session.stanza_size_limit or advertised_idle_timeout then |
| 141 features:reset(); | 142 features:reset(); |
| 142 local limits = features:tag("limits", { xmlns = "urn:xmpp:stream-limits:0" }); | 143 local limits = features:tag("limits", { xmlns = "urn:xmpp:stream-limits:0" }); |
| 143 if stanza_size_limit then | 144 if session.stanza_size_limit then |
| 144 limits:text_tag("max-bytes", string.format("%d", stanza_size_limit)); | 145 limits:text_tag("max-bytes", string.format("%d", session.stanza_size_limit)); |
| 145 end | 146 end |
| 146 if advertised_idle_timeout then | 147 if advertised_idle_timeout then |
| 147 limits:text_tag("idle-seconds", string.format("%d", advertised_idle_timeout)); | 148 limits:text_tag("idle-seconds", string.format("%d", advertised_idle_timeout)); |
| 148 end | 149 end |
| 149 limits:reset(); | 150 limits:reset(); |
| 350 conn:setoption("keepalive", opt_keepalives); | 351 conn:setoption("keepalive", opt_keepalives); |
| 351 end | 352 end |
| 352 | 353 |
| 353 session.close = session_close; | 354 session.close = session_close; |
| 354 | 355 |
| 355 local stream = new_xmpp_stream(session, stream_callbacks, stanza_size_limit); | 356 session.stanza_size_limit = unauthed_stanza_size_limit; |
| 357 | |
| 358 local stream = new_xmpp_stream(session, stream_callbacks, session.stanza_size_limit); | |
| 356 session.stream = stream; | 359 session.stream = stream; |
| 357 session.notopen = true; | 360 session.notopen = true; |
| 358 | 361 |
| 359 function session.reset_stream() | 362 function session.reset_stream() |
| 360 session.notopen = true; | 363 session.notopen = true; |
| 458 sessions[conn] = session; | 461 sessions[conn] = session; |
| 459 end | 462 end |
| 460 | 463 |
| 461 function module.add_host(module) | 464 function module.add_host(module) |
| 462 module:hook("c2s-read-timeout", keepalive, -1); | 465 module:hook("c2s-read-timeout", keepalive, -1); |
| 466 module:hook("authentication-success", function(event) | |
| 467 local session = event.session; | |
| 468 if session.stream then | |
| 469 session.stanza_size_limit = authed_stanza_size_limit; | |
| 470 session.stream:set_stanza_size_limit(session.stanza_size_limit); | |
| 471 end | |
| 472 end); | |
| 463 end | 473 end |
| 464 | 474 |
| 465 module:hook("c2s-read-timeout", keepalive, -1); | 475 module:hook("c2s-read-timeout", keepalive, -1); |
| 466 | 476 |
| 467 module:hook("server-stopping", function(event) -- luacheck: ignore 212/event | 477 module:hook("server-stopping", function(event) -- luacheck: ignore 212/event |
