Mercurial > prosody-modules
view mod_sslv3_warn/mod_sslv3_warn.lua @ 5404:1087f697c3f3
mod_http_oauth2: Strip unknown extra fields from client registration
We shouldn't sign things we don't understand!
RFC 7591 section-2 states:
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
Prevents grandfathering in of unvalidated data that might become used
later, especially since the 'additionalProperties' schema keyword was
removed in 698fef74ce53
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 May 2023 16:23:40 +0200 |
| parents | 37cef218ba20 |
| children |
line wrap: on
line source
local st = require"util.stanza"; local host = module.host; local warning_message = module:get_option_string("sslv3_warning", "Your connection is encrypted using the SSL 3.0 protocol, which has been demonstrated to be insecure and will be disabled soon. Please upgrade your client."); module:hook("resource-bind", function (event) local session = event.session; module:log("debug", "mod_%s sees that %s logged in", module.name, session.username); local ok, protocol = pcall(function(session) return session.conn:socket():info"protocol"; end, session); if not ok then module:log("debug", protocol); elseif protocol == "SSLv3" then module:add_timer(15, function () if session.type == "c2s" and session.resource then session.send(st.message({ from = host, type = "headline", to = session.full_jid }, warning_message)); end end); end end);