Diff

mod_firewall/actions.lib.lua @ 2782:8fd37f0e108c

mod_firewall: Don't interpret format specifiers in LOG May include untrusted input (e.g. $(stanza)), and there is no legitimate way to provide additional parameters anyway.
author Matthew Wild <mwild1@gmail.com>
date Wed, 04 Oct 2017 10:54:52 +0100
parent 2581:0116672348c4
child 2894:165d2877eeac
line wrap: on
line diff
--- a/mod_firewall/actions.lib.lua	Tue Oct 03 22:37:15 2017 +0100
+++ b/mod_firewall/actions.lib.lua	Wed Oct 04 10:54:52 2017 +0100
@@ -176,7 +176,7 @@
 	local level = string:match("^%[(%a+)%]") or "info";
 	string = string:gsub("^%[%a+%] ?", "");
 	local meta_deps = {};
-	local code = meta(("(session.log or log)(%q, %q);"):format(level, string), meta_deps);
+	local code = meta(("(session.log or log)(%q, '%%s', %q);"):format(level, string), meta_deps);
 	return code, meta_deps;
 end