# HG changeset patch # User Matthew Wild # Date 1507110892 -3600 # Node ID 8fd37f0e108c1aa9ece510a2f0bdf2bfbe37d8fd # Parent fe5bb7b13a59b9f36f910915c491c9b08cf8401d mod_firewall: Don't interpret format specifiers in LOG May include untrusted input (e.g. $(stanza)), and there is no legitimate way to provide additional parameters anyway. diff -r fe5bb7b13a59 -r 8fd37f0e108c mod_firewall/actions.lib.lua --- a/mod_firewall/actions.lib.lua Tue Oct 03 22:37:15 2017 +0100 +++ b/mod_firewall/actions.lib.lua Wed Oct 04 10:54:52 2017 +0100 @@ -176,7 +176,7 @@ local level = string:match("^%[(%a+)%]") or "info"; string = string:gsub("^%[%a+%] ?", ""); local meta_deps = {}; - local code = meta(("(session.log or log)(%q, %q);"):format(level, string), meta_deps); + local code = meta(("(session.log or log)(%q, '%%s', %q);"):format(level, string), meta_deps); return code, meta_deps; end