Make sure we only keep 100 formats around

To prevent a DOS attack by eating memory by generating many, many different format specifications.
rakudo · Apr 9, 2019 · 7201d89 · 7201d89
1 parent 12a094a
commit 7201d89
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/src/core/Rakudo/Internals/Sprintf.pm6 b/src/core/Rakudo/Internals/Sprintf.pm6
@@ -398,14 +398,18 @@ say $code;
 
     # actual workhorse for sprintf()
     my $format-lock := Lock.new; # allow multiple threads to create formats
-    my %FORMATS;                 # where we keep our formats
+    my $FORMATS := nqp::hash;    # where we keep our formats
     method SPRINTF(Str:D $format, @args --> Str:D) {
         $format-lock.protect: {
-            if %FORMATS.AT-KEY($format) -> &process {
+            if nqp::atkey($FORMATS,$format) -> &process {
                 process(@args);
             }
             else {
-                %FORMATS.BIND-KEY($format,create-format($format))(@args)
+                nqp::deletekey(
+                  $FORMATS,
+                  nqp::iterkey_s(nqp::shift(nqp::iterator($FORMATS)))
+                ) if nqp::elems($FORMATS) == 100;
+                nqp::bindkey($FORMATS,$format,create-format($format))(@args)
             }
         }
     }