Software / code / prosody
Changeset
12221:056b7920b686
util.format: Expand explanation of purpose in comments
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 27 Jan 2022 21:40:13 +0100 |
| parents | 12220:25b853e64d83 |
| children | 12222:61592927335b |
| files | util/format.lua |
| diffstat | 1 files changed, 6 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/util/format.lua Thu Jan 27 21:14:22 2022 +0100 +++ b/util/format.lua Thu Jan 27 21:40:13 2022 +0100 @@ -1,6 +1,9 @@ -- --- A string.format wrapper that gracefully handles invalid arguments +-- A string.format wrapper that gracefully handles invalid arguments since +-- certain format string and argument combinations may casue errors or other +-- issues like log spoofing -- +-- Provides some protection from e.g. CAPEC-135, CWE-117, CWE-134, CWE-93 local tostring = tostring; local unpack = table.unpack or unpack; -- luacheck: ignore 113/unpack @@ -109,6 +112,8 @@ if not valid_utf8(arg) then option = "q"; elseif option ~= "q" then -- gets fully escaped in the next block + -- Prevent funny things with ASCII control characters and ANSI escape codes (CWE-117) + -- Also ensure embedded newlines can't look like another log line (CWE-93) args[i] = arg:gsub("[%z\1-\8\11-\31\127]", control_symbols):gsub("\n\t?", "\n\t"); return spec; end
