mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

util.format: Expand explanation of purpose in comments

Browse source
This commit is contained in:
Kim Alvefur 2022-01-27 21:40:13 +01:00
parent c551d3d8dd
commit dccab4e10f
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
util/format.lua
View file

@ -1,6 +1,9 @@
-- --
-- A string.format wrapper that gracefully handles invalid arguments -- A string.format wrapper that gracefully handles invalid arguments since
-- certain format string and argument combinations may casue errors or other
-- issues like log spoofing
-- --
-- Provides some protection from e.g. CAPEC-135, CWE-117, CWE-134, CWE-93
local tostring = tostring; local tostring = tostring;
local unpack = table.unpack or unpack; -- luacheck: ignore 113/unpack local unpack = table.unpack or unpack; -- luacheck: ignore 113/unpack
@ -109,6 +112,8 @@ local function format(formatstring, ...)
if not valid_utf8(arg) then if not valid_utf8(arg) then
option = "q"; option = "q";
elseif option ~= "q" then -- gets fully escaped in the next block elseif option ~= "q" then -- gets fully escaped in the next block
-- Prevent funny things with ASCII control characters and ANSI escape codes (CWE-117)
-- Also ensure embedded newlines can't look like another log line (CWE-93)
args[i] = arg:gsub("[%z\1-\8\11-\31\127]", control_symbols):gsub("\n\t?", "\n\t"); args[i] = arg:gsub("[%z\1-\8\11-\31\127]", control_symbols):gsub("\n\t?", "\n\t");
return spec; return spec;
end end