-
-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue I. User Input Written to Logs #829
Comments
All messages should be logged in a way that safely and unambiguously encodes non-printable characters. All logging paths should go through the same, safe sanitizer. |
@defuse : in order to address the issue we have:
|
@evilaliv3 In the code in the report, the return values are prefixed with Other than that it looks good. |
thank you @defuse for the fast response. we will evaluate this possibility but i've done it intentionally in order to flatten out all in the same format. |
allright also this ticket can be considered closed. the logs do now filter against terminal escape sequences and not visible characters in general and a complete review of the error messages has been done. |
Checking the new log_remove_escapes code: it calls str() on the argument, and catches Exception, and in that case returns "Failur in log_remove_escapes %s" % e. If the argument is of a class with str, which raises an exception, and the exception has a str producing something dangerous, then this code fails to escape it. If it used %r instead of %s, I'd be happier, because the normal behavior of %s is a non-escaped string, which the normal result with %r is escaped. It's still possible to override that, but not so likely as an accident. About the disambiguating prefixes, I'd suggest tailoring them to what's common and nice-looking in your system instead of eliminating them, though like @defuse I'm not sure it'll matter. |
Alternatively (or, really, in addition), in the failure case I complained about above, you could test the result string for any non-printable ASCII characters, and substitute a last-ditch truly-safe complaint message, if raising an exception is no good. All the other code paths are OK without such a check. |
ok for the remediation stage i'm going to simply apply your suggestion for the change from "%s" to "%r". thanks for your review. |
No description provided.
The text was updated successfully, but these errors were encountered: