Mercurial Mercurial > prosody > prosody-modules / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_firewall: Don't interpret format specifiers in LOG
authorMatthew Wild <mwild1@gmail.com>
Wed, 04 Oct 2017 10:54:52 +0100
changeset 2786 8fd37f0e108c
parent 2785 fe5bb7b13a59
child 2787 8d1634b71066
mod_firewall: Don't interpret format specifiers in LOG May include untrusted input (e.g. $(stanza)), and there is no legitimate way to provide additional parameters anyway.
mod_firewall/actions.lib.lua file | annotate | diff | comparison | revisions 
--- a/mod_firewall/actions.lib.lua	Tue Oct 03 22:37:15 2017 +0100
+++ b/mod_firewall/actions.lib.lua	Wed Oct 04 10:54:52 2017 +0100
@@ -176,7 +176,7 @@
 	local level = string:match("^%[(%a+)%]") or "info";
 	string = string:gsub("^%[%a+%] ?", "");
 	local meta_deps = {};
-	local code = meta(("(session.log or log)(%q, %q);"):format(level, string), meta_deps);
+	local code = meta(("(session.log or log)(%q, '%%s', %q);"):format(level, string), meta_deps);
 	return code, meta_deps;
 end
prosody-modules