mod_firewall: Don't interpret format specifiers in LOG
May include untrusted input (e.g. $(stanza)), and there is no
legitimate way to provide additional parameters anyway.
--- a/mod_firewall/actions.lib.lua Tue Oct 03 22:37:15 2017 +0100
+++ b/mod_firewall/actions.lib.lua Wed Oct 04 10:54:52 2017 +0100
@@ -176,7 +176,7 @@
local level = string:match("^%[(%a+)%]") or "info";
string = string:gsub("^%[%a+%] ?", "");
local meta_deps = {};
- local code = meta(("(session.log or log)(%q, %q);"):format(level, string), meta_deps);
+ local code = meta(("(session.log or log)(%q, '%%s', %q);"):format(level, string), meta_deps);
return code, meta_deps;
end