jfinn
/
jitsi_app_c0
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

FIX: prosody token util handles race on timeout gracefully

master
Aaron van Meerten 5 years ago
parent
3fd85720bc
commit
5e35b69fc9
1 changed files with 22 additions and 15 deletions
Split View Show Diff Stats
  1. 22
    15
      resources/prosody-plugins/token/util.lib.lua

+ 22
- 15
resources/prosody-plugins/token/util.lib.lua View File 

@@ -127,31 +127,26 @@ function Util:get_public_key(keyId)
127 127 
         -- If the key is not found in the cache.
128 128 
         module:log("debug", "Cache miss for key: "..keyId);
129 129 
         local code;
130 
+        local timeout_occurred;
130 131 
         local wait, done = async.waiter();
131 132 
         local function cb(content_, code_, response_, request_)
132 
-            content, code = content_, code_;
133 
-            if code == 200 or code == 204 then
134 
-                cache:set(keyId, content);
133 
+            if timeout_occurred == nil then
134 
+                content, code = content_, code_;
135 
+                if code == 200 or code == 204 then
136 
+                    cache:set(keyId, content);
137 
+                end
138 
+                done();
139 
+            else
140 
+                module:log("warn", "public key reply delivered after timeout from: %s",keyurl);
135 141 
             end
136 
-            done();
137 142 
         end
138 
-        local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');
139 
-        module:log("debug", "Fetching public key from: "..keyurl);
140 
-
141 
-        -- We hash the key ID to work around some legacy behavior and make
142 
-        -- deployment easier. It also helps prevent directory
143 
-        -- traversal attacks (although path cleaning could have done this too).
144 
-        local request = http.request(keyurl, {
145 
-            headers = http_headers or {},
146 
-            method = "GET"
147 
-        }, cb);
148 
-
149 143 
         -- TODO: Is the done() call racey? Can we cancel this if the request
150 144 
         --       succeedes?
151 145 
         local function cancel()
152 146 
             -- TODO: This check is racey. Not likely to be a problem, but we should
153 147 
             --       still stick a mutex on content / code at some point.
154 148 
             if code == nil then
149 
+                timeout_occurred = true;
155 150 
                 module:log("warn", "Timeout %s seconds fetching public key from: %s",http_timeout,keyurl);
156 151 
                 if http.destroy_request then
157 152 
                     http.destroy_request(request);
 
@@ -159,6 +154,18 @@ function Util:get_public_key(keyId)
159 154 
                 done();
160 155 
             end
161 156 
         end
157 
+
158 
+        local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');
159 
+        module:log("debug", "Fetching public key from: "..keyurl);
160 
+
161 
+        -- We hash the key ID to work around some legacy behavior and make
162 
+        -- deployment easier. It also helps prevent directory
163 
+        -- traversal attacks (although path cleaning could have done this too).
164 
+        local request = http.request(keyurl, {
165 
+            headers = http_headers or {},
166 
+            method = "GET"
167 
+        }, cb);
168 
+
162 169 
         timer.add_task(http_timeout, cancel);
163 170 
         wait();
164 171

Write Preview
Loading…
Cancel
Save