Date: Thu, 31 Jul 2014 14:39:47 -0400 From: Phil Shafer <phil@juniper.net> To: John-Mark Gurney <jmg@funkthat.com> Cc: sjg@freebsd.org, arch@freebsd.org, marcel@freebsd.org Subject: Re: XML Output: libxo - provide single API to output TXT, XML, JSON and HTML Message-ID: <201407311839.s6VIdlMK096434@idle.juniper.net> In-Reply-To: <20140731175547.GO43962@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney writes:
>Return an error? printf can return an error, yet most people don't
>check it.. so no real difference in API/bugs...
My concern is emitting half a string, where the half we don't emit
is something important. I don't want to make the opposite of an
injection attack, where arranging some daemon to call xo_emit with
a broken UTF-8 string allows an evil-doer to fix their evil content
into the other half of the string.
I'm escaping XML, JSON, and HTML content already, so the simplest
scheme is to:
a) UTF-8 check the format string;
if it fails, nothing is emitted
b) for each format descriptor, check the content generared;
if it fails, nothing is emitted from the xo_emit call
anything already generated is discarded
Simple and easy. Seem reasonable? The other option would be to
discard only that specific format descriptor or only that field
description.
xo_emit("{:good/%d}{:bad/%d%s}{:ugly}", 0, 55, "\xff\x01\xff", "cat");
Does the "<ugly>cat</ugly>" get emitted? Is "<bad>55</bad>" emitted?
If "ugly" was <run-this-command-as-user>phil</...>, and the bogus
string blocked the generation of that vital bit of info, life could
be bad.
Unfortunately, even this isn't a simple fix for "w", which wants
call wcsftime() to get wide values for month and day-of-the-week
names. Does wcsrtombs() convert this to UTF-8? Is there a locale
for UTF-8?
Thanks,
Phil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407311839.s6VIdlMK096434>