Mercurial > prosody-modules
comparison mod_firewall/actions.lib.lua @ 2782:8fd37f0e108c
mod_firewall: Don't interpret format specifiers in LOG
May include untrusted input (e.g. $(stanza)), and there is no
legitimate way to provide additional parameters anyway.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 04 Oct 2017 10:54:52 +0100 |
| parents | 0116672348c4 |
| children | 165d2877eeac |
comparison
equal
deleted
inserted
replaced
| 2781:fe5bb7b13a59 | 2782:8fd37f0e108c |
|---|---|
| 174 | 174 |
| 175 function action_handlers.LOG(string) | 175 function action_handlers.LOG(string) |
| 176 local level = string:match("^%[(%a+)%]") or "info"; | 176 local level = string:match("^%[(%a+)%]") or "info"; |
| 177 string = string:gsub("^%[%a+%] ?", ""); | 177 string = string:gsub("^%[%a+%] ?", ""); |
| 178 local meta_deps = {}; | 178 local meta_deps = {}; |
| 179 local code = meta(("(session.log or log)(%q, %q);"):format(level, string), meta_deps); | 179 local code = meta(("(session.log or log)(%q, '%%s', %q);"):format(level, string), meta_deps); |
| 180 return code, meta_deps; | 180 return code, meta_deps; |
| 181 end | 181 end |
| 182 | 182 |
| 183 function action_handlers.RULEDEP(dep) | 183 function action_handlers.RULEDEP(dep) |
| 184 return "", { dep }; | 184 return "", { dep }; |