Software /
code /
prosody-modules
Diff
mod_firewall/actions.lib.lua @ 2782:8fd37f0e108c
mod_firewall: Don't interpret format specifiers in LOG
May include untrusted input (e.g. $(stanza)), and there is no
legitimate way to provide additional parameters anyway.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Wed, 04 Oct 2017 10:54:52 +0100 |
parent | 2581:0116672348c4 |
child | 2894:165d2877eeac |
line wrap: on
line diff
--- a/mod_firewall/actions.lib.lua Tue Oct 03 22:37:15 2017 +0100 +++ b/mod_firewall/actions.lib.lua Wed Oct 04 10:54:52 2017 +0100 @@ -176,7 +176,7 @@ local level = string:match("^%[(%a+)%]") or "info"; string = string:gsub("^%[%a+%] ?", ""); local meta_deps = {}; - local code = meta(("(session.log or log)(%q, %q);"):format(level, string), meta_deps); + local code = meta(("(session.log or log)(%q, '%%s', %q);"):format(level, string), meta_deps); return code, meta_deps; end