#1574 Invalid XML input on s2s connection is logged unescaped

Reporter Bonstra
Owner Zash
Created
Updated
Stars ★ (1)
Tags
  • Milestone-0.11
  • Type-Defect
  • Security
  • Status-Fixed
  • Priority-High
  1. Bonstra on

    What steps will reproduce the problem? 1. Print the server log in a separate terminal using: tail -f [logfile] 2. From another terminal, run: echo -ne 'Là on me voit, \x1b7là on me voit plus, on me voit plus, \x1b8\x1b[Jon me voit.'|nc 127.0.0.1 5269 3. Read the logs in the other terminal, only part of the input text is visible 4. Use 'less [logfile]' to see the control characters and the hidden text What is the expected output? Received invalid XML: Là on me voit, \x1b7là on me voit plus, on me voit plus, \x1b8\x1b[Jon me voit. What do you see instead? Received invalid XML: Là on me voit, on me voit. What version of the product are you using? On what operating system? prosody 0.11.5 on ArchLinuxARM (armv5) Please provide any additional information below. This flaw can be abused by an attacker to manipulate what is presented to the system administrator if they read the log using a tool which does not filter out unusual control characters (e.g. cat, tail and more). Also, having invalid UTF-8 sequences in the logs could also confuse some log-analyzing tools which expect a valid encoding.

  2. Zash on

    Thanks for the report. We will copy the solution already used in mod_c2s to mod_s2s in 0.11. trunk/0.12 already has a solution to this that c2s, s2s and component connections.

    Changes
    • tags Milestone-0.11 Status-Accepted
    • owner Zash
  3. Zash on

    Fixed in https://hg.prosody.im/0.11/rev/bacca65ce107

    Changes
    • tags Status-Fixed
  4. Zash on

    Changes
    • tags Hidden

New comment

Not published. Used for spam prevention and optional update notifications.