Date: Thu, 31 Jul 2014 14:39:47 -0400 From: Phil Shafer <phil@juniper.net> To: John-Mark Gurney <jmg@funkthat.com> Cc: sjg@freebsd.org, arch@freebsd.org, marcel@freebsd.org Subject: Re: XML Output: libxo - provide single API to output TXT, XML, JSON and HTML Message-ID: <201407311839.s6VIdlMK096434@idle.juniper.net> In-Reply-To: <20140731175547.GO43962@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney writes: >Return an error? printf can return an error, yet most people don't >check it.. so no real difference in API/bugs... My concern is emitting half a string, where the half we don't emit is something important. I don't want to make the opposite of an injection attack, where arranging some daemon to call xo_emit with a broken UTF-8 string allows an evil-doer to fix their evil content into the other half of the string. I'm escaping XML, JSON, and HTML content already, so the simplest scheme is to: a) UTF-8 check the format string; if it fails, nothing is emitted b) for each format descriptor, check the content generared; if it fails, nothing is emitted from the xo_emit call anything already generated is discarded Simple and easy. Seem reasonable? The other option would be to discard only that specific format descriptor or only that field description. xo_emit("{:good/%d}{:bad/%d%s}{:ugly}", 0, 55, "\xff\x01\xff", "cat"); Does the "<ugly>cat</ugly>" get emitted? Is "<bad>55</bad>" emitted? If "ugly" was <run-this-command-as-user>phil</...>, and the bogus string blocked the generation of that vital bit of info, life could be bad. Unfortunately, even this isn't a simple fix for "w", which wants call wcsftime() to get wide values for month and day-of-the-week names. Does wcsrtombs() convert this to UTF-8? Is there a locale for UTF-8? Thanks, Phil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407311839.s6VIdlMK096434>