Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to improve safety
ClosedPublic
Actions

Authored by epriestley on Nov 7 2018, 12:45 AM.

Details

Reviewers

amckinley

Maniphest Tasks

T6960: Support %P in qsprintf()
T13216: 2018 Week 45-47 Bonus Content
T13217: Upgrading: Hardening of qsprintf()

Commits

rPHUbe5a87463ac5: Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to…

Summary

Depends on D19782. Ref T13217. Ref T13216. Ref T6960. We currently construct some queries by passing implode(...) directly to qsprintf().

I believe we can cover all these cases (or, at least, almost all these cases) with conversions for imploding on AND, OR, or comma. This will ultimately let us make %Q safer.

Test Plan

Played around with these in a toy qsprintf() script; upcoming changes will convert Phabricator callsites more aggressively.

Diff Detail

Repository

rPHU libphutil

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Nov 7 2018, 12:45 AM

Harbormaster completed remote builds in B21098: Diff 47249.Nov 7 2018, 12:45 AM

epriestley requested review of this revision.Nov 7 2018, 12:45 AM

epriestley mentioned this in D19784: Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics.Nov 7 2018, 1:07 AM

epriestley added a child revision: D19786: Add %LJ (joined with spaces) to qsprintf() for merging JOIN clauses.Nov 7 2018, 10:48 AM

amckinley accepted this revision.Nov 7 2018, 8:57 PM

This revision is now accepted and ready to land.Nov 7 2018, 8:57 PM

Closed by commit rPHUbe5a87463ac5: Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to… (authored by epriestley). · Explain WhyNov 13 2018, 4:49 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

xsprintf/

qsprintf.php

39 lines

Diff 47286

View Options

Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to improve safetyClosedPublicActions