From owner-freebsd-arch@FreeBSD.ORG  Thu Jul 31 18:40:33 2014
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: arch@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id AB508B31;
 Thu, 31 Jul 2014 18:40:33 +0000 (UTC)
Received: from na01-bn1-obe.outbound.protection.outlook.com
 (dns-bn1lp0143.outbound.protection.outlook.com [207.46.163.143])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "MSIT Machine Auth CA 2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9196026A8;
 Thu, 31 Jul 2014 18:40:31 +0000 (UTC)
Received: from CO2PR05CA033.namprd05.prod.outlook.com (10.141.241.161) by
 DM2PR05MB734.namprd05.prod.outlook.com (10.141.178.22) with Microsoft SMTP
 Server (TLS) id 15.0.995.14; Thu, 31 Jul 2014 18:40:29 +0000
Received: from BY2FFO11FD028.protection.gbl (2a01:111:f400:7c0c::115) by
 CO2PR05CA033.outlook.office365.com (2a01:111:e400:1429::33) with Microsoft
 SMTP Server (TLS) id 15.0.995.14 via Frontend Transport; Thu, 31 Jul 2014
 18:40:28 +0000
Received: from P-EMF02-SAC.jnpr.net (66.129.239.16) by
 BY2FFO11FD028.mail.protection.outlook.com (10.1.15.217) with Microsoft SMTP
 Server (TLS) id 15.0.990.10 via Frontend Transport; Thu, 31 Jul 2014 18:40:28
 +0000
Received: from magenta.juniper.net (172.17.27.123) by P-EMF02-SAC.jnpr.net
 (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.146.0; Thu, 31 Jul
 2014 11:40:28 -0700
Received: from idle.juniper.net (idleski.juniper.net [172.25.4.26])	by
 magenta.juniper.net (8.11.3/8.11.3) with ESMTP id s6VIeAn61811;	Thu, 31 Jul
 2014 11:40:22 -0700 (PDT)	(envelope-from phil@juniper.net)
Received: from idle.juniper.net (localhost [127.0.0.1])	by idle.juniper.net
 (8.14.4/8.14.3) with ESMTP id s6VIdlMK096434; Thu, 31 Jul 2014 14:39:54 -0400
 (EDT)	(envelope-from phil@idle.juniper.net)
Message-ID: <201407311839.s6VIdlMK096434@idle.juniper.net>
To: John-Mark Gurney <jmg@funkthat.com>
Subject: Re: XML Output: libxo - provide single API to output TXT, XML,
 JSON and HTML
In-Reply-To: <20140731175547.GO43962@funkthat.com>
Date: Thu, 31 Jul 2014 14:39:47 -0400
From: Phil Shafer <phil@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:66.129.239.16; CTRY:US; IPV:NLI; IPV:NLI;
 EFV:NLI; SFV:NSPM;
 SFS:(6009001)(164054003)(189002)(199002)(77982001)(99396002)(106466001)(46102001)(110136001)(107046002)(21056001)(84676001)(81156004)(48376002)(50466002)(87936001)(44976005)(79102001)(76506005)(81342001)(86362001)(20776003)(92566001)(103666002)(95666004)(105596002)(74502001)(6806004)(85852003)(92726001)(83072002)(97736001)(31966008)(47776003)(81542001)(83322001)(54356999)(76482001)(80022001)(53416004)(4396001)(69596002)(68736004)(102836001)(85306003)(50986999);
 DIR:OUT; SFP:; SCL:1; SRVR:DM2PR05MB734; H:P-EMF02-SAC.jnpr.net; FPR:; MLV:sfv;
 PTR:InfoDomainNonexistent; MX:1; LANG:en; 
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-Forefront-PRVS: 0289B6431E
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
 juniper.net discourages use of 66.129.239.16 as permitted sender)
Authentication-Results: spf=softfail (sender IP is 66.129.239.16)
 smtp.mailfrom=phil@juniper.net; 
X-OriginatorOrg: juniper.net
Cc: sjg@freebsd.org, arch@freebsd.org, marcel@freebsd.org
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 18:40:33 -0000

John-Mark Gurney writes:
>Return an error?  printf can return an error, yet most people don't
>check it.. so no real difference in API/bugs...

My concern is emitting half a string, where the half we don't emit
is something important.  I don't want to make the opposite of an
injection attack, where arranging some daemon to call xo_emit with
a broken UTF-8 string allows an evil-doer to fix their evil content
into the other half of the string.

I'm escaping XML, JSON, and HTML content already, so the simplest
scheme is to:

a) UTF-8 check the format string;
   if it fails, nothing is emitted
b) for each format descriptor, check the content generared;
   if it fails, nothing is emitted from the xo_emit call
      anything already generated is discarded

Simple and easy.  Seem reasonable?  The other option would be to
discard only that specific format descriptor or only that field
description.

    xo_emit("{:good/%d}{:bad/%d%s}{:ugly}", 0, 55, "\xff\x01\xff", "cat");

Does the "<ugly>cat</ugly>" get emitted?  Is "<bad>55</bad>" emitted?

If "ugly" was <run-this-command-as-user>phil</...>, and the bogus
string blocked the generation of that vital bit of info, life could
be bad.

Unfortunately, even this isn't a simple fix for "w", which wants
call wcsftime() to get wide values for month and day-of-the-week
names.  Does wcsrtombs() convert this to UTF-8?  Is there a locale
for UTF-8?

Thanks,
 Phil