From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, rjones@redhat.com,
Markus Armbruster <armbru@redhat.com>
Subject: Re: [PATCH 1/2] util: Refactor json-writer's string sanitizer to be public
Date: Wed, 7 Aug 2024 19:49:32 +0100 [thread overview]
Message-ID: <ZrPBvOSrLjgTNlV3@redhat.com> (raw)
In-Reply-To: <20240802194156.2131519-5-eblake@redhat.com>
On Fri, Aug 02, 2024 at 02:26:05PM -0500, Eric Blake wrote:
> My next patch needs to convert text from an untrusted input into an
> output representation that is suitable for display on a terminal is
> useful to more than just the json-writer; the text should normally be
> UTF-8, but blindly allowing all Unicode code points (including ASCII
> ESC) through to a terminal risks remote-code-execution attacks on some
> terminals. Extract the existing body of json-writer's quoted_strinto
> a new helper routine mod_utf8_sanitize, and generalize it to also work
> on data that is length-limited rather than NUL-terminated. [I was
> actually surprised that glib does not have such a sanitizer already -
> Google turns up lots of examples of rolling your own string
> sanitizer.]
>
> If desired in the future, we may want to tweak whether the output is
> guaranteed to be ASCII (using lots of \u escape sequences, including
> surrogate pairs for code points outside the BMP) or if we are okay
> passing printable Unicode through (we still need to escape control
> characters). But for now, I went for minimal code churn, including
> the fact that the resulting function allows a non-UTF-8 2-byte synonym
> for U+0000.
>
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
> include/qemu/unicode.h | 3 ++
> qobject/json-writer.c | 47 +----------------------
> util/unicode.c | 84 ++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 88 insertions(+), 46 deletions(-)
I was going to ask for a unit test, but "escaped_string" in
test-qjson.c looks like it will be covering this sufficiently
well already, that we don't need to test it in isolation.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2024-08-07 18:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 19:26 [PATCH for-9.1 0/2] NBD: don't print raw server error text to terminal Eric Blake
2024-08-02 19:26 ` [PATCH 1/2] util: Refactor json-writer's string sanitizer to be public Eric Blake
2024-08-02 21:00 ` Richard W.M. Jones
2024-08-02 21:38 ` Philippe Mathieu-Daudé
2024-08-07 18:49 ` Daniel P. Berrangé [this message]
2024-08-08 7:57 ` Markus Armbruster
2024-08-08 7:54 ` Markus Armbruster
2024-08-08 14:02 ` Eric Blake
2024-08-02 19:26 ` [PATCH 2/2] qemu-img: CVE-XXX Sanitize untrusted output from NBD server Eric Blake
2024-08-02 21:03 ` Richard W.M. Jones
2024-08-07 18:45 ` Daniel P. Berrangé
2024-08-02 21:41 ` Philippe Mathieu-Daudé
2024-08-07 13:43 ` Stefan Hajnoczi
2024-08-02 22:01 ` Richard W.M. Jones
2024-08-03 8:20 ` Richard W.M. Jones
2024-08-05 18:48 ` [PATCH for-9.1 0/2] NBD: don't print raw server error text to terminal Eric Blake
2024-08-05 19:11 ` Richard W.M. Jones
2024-08-07 17:51 ` Eric Blake
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZrPBvOSrLjgTNlV3@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).