Mercurial > prosody-hg
diff plugins/mod_c2s.lua @ 14152:fed0dd8dda09 0.12
mod_c2s,mod_s2s: Introduce separate pre-authentication stanza size limit
This should prevent unauthenticated resource use via the XML parser.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 07 Apr 2026 20:35:41 +0200 |
| parents | bc30e1b9ad89 |
| children | 363a79f54109 |
line wrap: on
line diff
--- a/plugins/mod_c2s.lua Sun Dec 29 12:13:29 2024 +0000 +++ b/plugins/mod_c2s.lua Tue Apr 07 20:35:41 2026 +0200 @@ -28,7 +28,8 @@ local c2s_timeout = module:get_option_number("c2s_timeout", 300); local stream_close_timeout = module:get_option_number("c2s_close_timeout", 5); local opt_keepalives = module:get_option_boolean("c2s_tcp_keepalives", module:get_option_boolean("tcp_keepalives", true)); -local stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256); +local unauthed_stanza_size_limit = module:get_option_number("c2s_unauthed_stanza_size_limit", 10000,1000); +local authed_stanza_size_limit = module:get_option_number("c2s_stanza_size_limit", 1024*256,10000); local measure_connections = module:metric("gauge", "connections", "", "Established c2s connections", {"host", "type", "ip_family"}); @@ -312,7 +313,9 @@ session.close = session_close; - local stream = new_xmpp_stream(session, stream_callbacks, stanza_size_limit); + session.stanza_size_limit = unauthed_stanza_size_limit; + + local stream = new_xmpp_stream(session, stream_callbacks, session.stanza_size_limit); session.stream = stream; session.notopen = true; @@ -420,6 +423,13 @@ function module.add_host(module) module:hook("c2s-read-timeout", keepalive, -1); + module:hook("authentication-success", function(event) + local session = event.session; + if session.stream then + session.stanza_size_limit = authed_stanza_size_limit; + session.stream:set_stanza_size_limit(session.stanza_size_limit); + end + end); end module:hook("c2s-read-timeout", keepalive, -1);
