From: Anders Waldenborg <anders@0x63.nu>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, Jeff King <peff@peff.net>,
Olga Telezhnaya <olyatelezhnaya@gmail.com>
Subject: Re: [PATCH v2 5/5] pretty: add support for separator option in %(trailers)
Date: Mon, 05 Nov 2018 19:24:14 +0100 [thread overview]
Message-ID: <871s7zl6xp.fsf@0x63.nu> (raw)
In-Reply-To: <xmqqpnvkjmtu.fsf@gitster-ct.c.googlers.com>
Junio C Hamano writes:
> Anders Waldenborg <anders@0x63.nu> writes:
>
>> @@ -1352,6 +1353,17 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */
>> arg++;
>>
>> opts.only_trailers = 1;
>> + } else if (skip_prefix(arg, "separator=", &arg)) {
>> + size_t seplen = strcspn(arg, ",)");
>> + strbuf_reset(&sepbuf);
>> + char *fmt = xstrndup(arg, seplen);
>> + strbuf_expand(&sepbuf, fmt, format_fundamental, NULL);
>
> This somehow feels akin to using end-user supplied param to printf(3)
> as its format argument e.g.
>
> int main(int ac, char *av) {
> printf(av[1]);
> return 0;
> }
>
> which is not a good idea. Is there a mechanism with which we can
> ensure that the separator=<what> specification will never come from
> potentially malicious sources (e.g. not used to show things on webpage
> allowing random folks who access he site to supply custom format)?
I can't see a case where this could add anything that isn't already
possible.
AFAICU strbuf_expand doesn't suffer from the worst things that printf(3)
suffers from wrt untrusted format string (i.e no printf style %n which
can write to memory, and no vaargs on stack which allows leaking random
stuff).
The separator option is part of the full format string. If a malicious
user can specify that, they can't really do anything new, as the
separator only can expand %n and %xNN, which they already can do in the
full string.
But maybe I'm missing something?
next prev parent reply other threads:[~2018-11-05 18:24 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-28 12:50 [PATCH] pretty: Add %(trailer:X) to display single trailer Anders Waldenborg
2018-10-29 4:49 ` Junio C Hamano
2018-10-29 14:14 ` Jeff King
2018-10-29 17:05 ` Anders Waldenborg
2018-10-31 20:27 ` Jeff King
2018-10-31 23:01 ` Anders Waldenborg
2018-11-01 18:42 ` Jeff King
2018-11-04 15:22 ` [PATCH v2 0/5] %(trailers) improvements in pretty format Anders Waldenborg
2018-11-04 15:22 ` [PATCH v2 1/5] pretty: single return path in %(trailers) handling Anders Waldenborg
2018-11-04 15:22 ` [PATCH v2 2/5] pretty: allow showing specific trailers Anders Waldenborg
2018-11-04 18:14 ` Eric Sunshine
2018-11-05 3:48 ` Junio C Hamano
2018-11-05 3:52 ` Eric Sunshine
2018-11-05 8:26 ` Anders Waldenborg
2018-11-05 9:00 ` Eric Sunshine
2018-11-05 5:14 ` Junio C Hamano
2018-11-04 15:22 ` [PATCH v2 3/5] pretty: add support for "nokey" option in %(trailers) Anders Waldenborg
2018-11-04 15:22 ` [PATCH v2 4/5] pretty: extract fundamental placeholders to separate function Anders Waldenborg
2018-11-05 2:06 ` Junio C Hamano
2018-11-05 8:32 ` Anders Waldenborg
2018-11-06 1:46 ` Junio C Hamano
2018-11-04 15:22 ` [PATCH v2 5/5] pretty: add support for separator option in %(trailers) Anders Waldenborg
2018-11-05 2:10 ` Junio C Hamano
2018-11-05 18:24 ` Anders Waldenborg [this message]
2018-11-06 1:48 ` Junio C Hamano
2018-11-05 5:18 ` Junio C Hamano
2018-11-04 17:40 ` [PATCH v2 0/5] %(trailers) improvements in pretty format Eric Sunshine
2018-11-05 7:09 ` Anders Waldenborg
2018-11-18 11:44 ` [PATCH v3 " Anders Waldenborg
2018-11-18 11:44 ` [PATCH v3 1/5] pretty: single return path in %(trailers) handling Anders Waldenborg
2018-11-18 11:44 ` [PATCH v3 2/5] pretty: allow showing specific trailers Anders Waldenborg
2018-11-20 5:45 ` Junio C Hamano
2018-11-20 5:59 ` Junio C Hamano
2018-11-25 23:02 ` Anders Waldenborg
2018-11-26 3:13 ` Junio C Hamano
2018-11-26 6:56 ` Anders Waldenborg
2018-11-26 7:52 ` Junio C Hamano
2018-11-18 11:44 ` [PATCH v3 3/5] pretty: add support for "valueonly" option in %(trailers) Anders Waldenborg
2018-11-20 8:14 ` Eric Sunshine
2018-11-18 11:44 ` [PATCH v3 4/5] strbuf: separate callback for strbuf_expand:ing literals Anders Waldenborg
2018-11-18 11:44 ` [PATCH v3 5/5] pretty: add support for separator option in %(trailers) Anders Waldenborg
2018-11-20 8:25 ` Eric Sunshine
2018-12-08 16:36 ` [PATCH v4 0/7] %(trailers) improvements in pretty format Anders Waldenborg
2018-12-08 16:36 ` [PATCH v4 1/7] doc: group pretty-format.txt placeholders descriptions Anders Waldenborg
2018-12-08 16:36 ` [PATCH v4 2/7] pretty: allow %(trailers) options with explicit value Anders Waldenborg
2018-12-10 8:45 ` Junio C Hamano
2018-12-18 21:30 ` Anders Waldenborg
2019-01-29 16:55 ` Jeff King
2019-01-29 21:23 ` Anders Waldenborg
[not found] ` <CAL21Bmmx=EO+R2t+KviNekDhU3fc0wjCcmUmbzLa14bb0PAmHA@mail.gmail.com>
2019-01-31 18:46 ` Anders Waldenborg
2019-02-02 9:14 ` Оля Тележная
2018-12-08 16:36 ` [PATCH v4 3/7] pretty: single return path in %(trailers) handling Anders Waldenborg
2018-12-08 16:36 ` [PATCH v4 4/7] pretty: allow showing specific trailers Anders Waldenborg
2018-12-10 8:56 ` Junio C Hamano
2018-12-08 16:36 ` [PATCH v4 5/7] pretty: add support for "valueonly" option in %(trailers) Anders Waldenborg
2018-12-08 16:36 ` [PATCH v4 6/7] strbuf: separate callback for strbuf_expand:ing literals Anders Waldenborg
2018-12-08 16:36 ` [PATCH v4 7/7] pretty: add support for separator option in %(trailers) Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 0/7] %(trailers) improvements in pretty format Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 1/7] doc: group pretty-format.txt placeholders descriptions Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 2/7] pretty: Allow %(trailers) options with explicit value Anders Waldenborg
2019-01-28 22:38 ` Junio C Hamano
2019-01-29 6:45 ` Anders Waldenborg
2019-01-29 16:57 ` Jeff King
2019-01-29 6:49 ` [PATCH v5 2/7 update] pretty: allow " Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 3/7] pretty: single return path in %(trailers) handling Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 4/7] pretty: allow showing specific trailers Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 5/7] pretty: add support for "valueonly" option in %(trailers) Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 6/7] strbuf: separate callback for strbuf_expand:ing literals Anders Waldenborg
2019-01-28 21:33 ` [PATCH v5 7/7] pretty: add support for separator option in %(trailers) Anders Waldenborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871s7zl6xp.fsf@0x63.nu \
--to=anders@0x63.nu \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=olyatelezhnaya@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.