Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
util.format: Expand explanation of purpose in comments
authorKim Alvefur <zash@zash.se>
Thu, 27 Jan 2022 21:40:13 +0100
changeset 12225 056b7920b686
parent 12224 25b853e64d83
child 12226 61592927335b
util.format: Expand explanation of purpose in comments
util/format.lua file | annotate | diff | comparison | revisions 
--- a/util/format.lua	Thu Jan 27 21:14:22 2022 +0100
+++ b/util/format.lua	Thu Jan 27 21:40:13 2022 +0100
@@ -1,6 +1,9 @@
 --
--- A string.format wrapper that gracefully handles invalid arguments
+-- A string.format wrapper that gracefully handles invalid arguments since
+-- certain format string and argument combinations may casue errors or other
+-- issues like log spoofing
 --
+-- Provides some protection from e.g. CAPEC-135, CWE-117, CWE-134, CWE-93
 
 local tostring = tostring;
 local unpack = table.unpack or unpack; -- luacheck: ignore 113/unpack
@@ -109,6 +112,8 @@
 			if not valid_utf8(arg) then
 				option = "q";
 			elseif option ~= "q" then -- gets fully escaped in the next block
+				-- Prevent funny things with ASCII control characters and ANSI escape codes (CWE-117)
+				-- Also ensure embedded newlines can't look like another log line (CWE-93)
 				args[i] = arg:gsub("[%z\1-\8\11-\31\127]", control_symbols):gsub("\n\t?", "\n\t");
 				return spec;
 			end
prosody