prosody
056b7920b686
util/format.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

util/format.lua @ 12221:056b7920b686

util.format: Expand explanation of purpose in comments
author Kim Alvefur <zash@zash.se>
date Thu, 27 Jan 2022 21:40:13 +0100
parent 12220:25b853e64d83
child 12261:f7946c8e502f
comparison
equal deleted inserted replaced
12220:25b853e64d83 12221:056b7920b686
1 -- 1 --
2 -- A string.format wrapper that gracefully handles invalid arguments 2 -- A string.format wrapper that gracefully handles invalid arguments since
3 -- certain format string and argument combinations may casue errors or other
4 -- issues like log spoofing
3 -- 5 --
6 -- Provides some protection from e.g. CAPEC-135, CWE-117, CWE-134, CWE-93
4 7
5 local tostring = tostring; 8 local tostring = tostring;
6 local unpack = table.unpack or unpack; -- luacheck: ignore 113/unpack 9 local unpack = table.unpack or unpack; -- luacheck: ignore 113/unpack
7 local pack = require "util.table".pack; -- TODO table.pack in 5.2+ 10 local pack = require "util.table".pack; -- TODO table.pack in 5.2+
8 local valid_utf8 = require "util.encodings".utf8.valid; 11 local valid_utf8 = require "util.encodings".utf8.valid;
107 110
108 if t == "string" and option ~= "p" then 111 if t == "string" and option ~= "p" then
109 if not valid_utf8(arg) then 112 if not valid_utf8(arg) then
110 option = "q"; 113 option = "q";
111 elseif option ~= "q" then -- gets fully escaped in the next block 114 elseif option ~= "q" then -- gets fully escaped in the next block
115 -- Prevent funny things with ASCII control characters and ANSI escape codes (CWE-117)
116 -- Also ensure embedded newlines can't look like another log line (CWE-93)
112 args[i] = arg:gsub("[%z\1-\8\11-\31\127]", control_symbols):gsub("\n\t?", "\n\t"); 117 args[i] = arg:gsub("[%z\1-\8\11-\31\127]", control_symbols):gsub("\n\t?", "\n\t");
113 return spec; 118 return spec;
114 end 119 end
115 end 120 end
116 121