Mercurial > prosody-hg
comparison plugins/mod_c2s.lua @ 14152:fed0dd8dda09 0.12
mod_c2s,mod_s2s: Introduce separate pre-authentication stanza size limit
This should prevent unauthenticated resource use via the XML parser.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 07 Apr 2026 20:35:41 +0200 |
| parents | bc30e1b9ad89 |
| children | 363a79f54109 |
comparison
equal
deleted
inserted
replaced
| 13636:1ef39ce837be | 14152:fed0dd8dda09 |
|---|---|
| 26 local log = module._log; | 26 local log = module._log; |
| 27 | 27 |
| 28 local c2s_timeout = module:get_option_number("c2s_timeout", 300); | 28 local c2s_timeout = module:get_option_number("c2s_timeout", 300); |
| 29 local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5); | 29 local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5); |
| 30 local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); | 30 local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); |
| 31 local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256); | 31 local unauthed_stanza_size_limit = module:get_option_number("c2s_unauthed_stanza_size_limit", 10000,1000); |
| 32 local authed_stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256,10000); | |
| 32 | 33 |
| 33 local measure_connections = module:metric("gauge", "connections", "", "Established c2s connections", {"host", "type", "ip_family"}); | 34 local measure_connections = module:metric("gauge", "connections", "", "Established c2s connections", {"host", "type", "ip_family"}); |
| 34 | 35 |
| 35 local sessions = module:shared("sessions"); | 36 local sessions = module:shared("sessions"); |
| 36 local core_process_stanza = prosody.core_process_stanza; | 37 local core_process_stanza = prosody.core_process_stanza; |
| 310 conn:setoption("keepalive", opt_keepalives); | 311 conn:setoption("keepalive", opt_keepalives); |
| 311 end | 312 end |
| 312 | 313 |
| 313 session.close = session_close; | 314 session.close = session_close; |
| 314 | 315 |
| 315 local stream = new_xmpp_stream(session, stream_callbacks, stanza_size_limit); | 316 session.stanza_size_limit = unauthed_stanza_size_limit; |
| 317 | |
| 318 local stream = new_xmpp_stream(session, stream_callbacks, session.stanza_size_limit); | |
| 316 session.stream = stream; | 319 session.stream = stream; |
| 317 session.notopen = true; | 320 session.notopen = true; |
| 318 | 321 |
| 319 function session.reset_stream() | 322 function session.reset_stream() |
| 320 session.notopen = true; | 323 session.notopen = true; |
| 418 sessions[conn] = session; | 421 sessions[conn] = session; |
| 419 end | 422 end |
| 420 | 423 |
| 421 function module.add_host(module) | 424 function module.add_host(module) |
| 422 module:hook("c2s-read-timeout", keepalive, -1); | 425 module:hook("c2s-read-timeout", keepalive, -1); |
| 426 module:hook("authentication-success", function(event) | |
| 427 local session = event.session; | |
| 428 if session.stream then | |
| 429 session.stanza_size_limit = authed_stanza_size_limit; | |
| 430 session.stream:set_stanza_size_limit(session.stanza_size_limit); | |
| 431 end | |
| 432 end); | |
| 423 end | 433 end |
| 424 | 434 |
| 425 module:hook("c2s-read-timeout", keepalive, -1); | 435 module:hook("c2s-read-timeout", keepalive, -1); |
| 426 | 436 |
| 427 module:hook("server-stopping", function(event) -- luacheck: ignore 212/event | 437 module:hook("server-stopping", function(event) -- luacheck: ignore 212/event |
