Unverified Commit beedf5fd authored by teor's avatar teor
Browse files

Remove commas and equals signs from external string inputs to the fallback list 

This makes sure that list parsers only see one comma per fallback entry,
and only see one equals sign per field.

Implements ticket 24726.
parent c1be0cfd

changes/ticket24726

0 → 100644
+4 −0
Original line number Diff line number Diff line 
  o Minor features (fallback directory mirrors):

    - Remove commas and equals signs from external string inputs to the

      fallback list. This avoids format confusion attacks.

      Implements ticket 24726.

scripts/maint/updateFallbackDirs.py

+8 −0
Original line number Diff line number Diff line
@@ -284,6 +284,10 @@ def cleanse_c_multiline_comment(raw_string): 
  bad_char_list = '*/'

  # Prevent a malicious string from using C nulls

  bad_char_list += '\0'

  # Avoid confusing parsers by making sure there is only one comma per fallback

  bad_char_list += ','

  # Avoid confusing parsers by making sure there is only one equals per field

  bad_char_list += '='

  # Be safer by removing bad characters entirely

  cleansed_string = remove_bad_chars(cleansed_string, bad_char_list)

  # Some compilers may further process the content of comments
@@ -304,6 +308,10 @@ def cleanse_c_string(raw_string): 
  bad_char_list += '\\'

  # Prevent a malicious string from using C nulls

  bad_char_list += '\0'

  # Avoid confusing parsers by making sure there is only one comma per fallback

  bad_char_list += ','

  # Avoid confusing parsers by making sure there is only one equals per field

  bad_char_list += '='

  # Be safer by removing bad characters entirely

  cleansed_string = remove_bad_chars(cleansed_string, bad_char_list)

  # Some compilers may further process the content of strings