Page MenuHomePhabricator
Differential D19783

Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to improve safety
ClosedPublic
Actions

Authored by epriestley on Nov 7 2018, 12:45 AM.
Tags
None
Referenced Files
F17926877: D19783.diff
Wed, Jul 30, 1:47 PM
F17846798: D19783.id.diff
Sun, Jul 27, 5:20 AM
F17840465: D19783.diff
Sat, Jul 26, 9:10 PM
F17840361: D19783.diff
Sat, Jul 26, 9:04 PM
F17732346: D19783.id.diff
Sun, Jul 20, 4:34 AM
F17731327: D19783.id47249.diff
Sun, Jul 20, 1:08 AM
F17703970: D19783.diff
Wed, Jul 16, 2:53 AM
Unknown Object (File)
Jun 30 2025, 1:09 PM
View All Files
Subscribers
None

Details

Reviewers
amckinley
Maniphest Tasks
T6960: Support %P in qsprintf()
T13216: 2018 Week 45-47 Bonus Content
T13217: Upgrading: Hardening of qsprintf()
Commits
rPHUbe5a87463ac5: Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to…
Summary

Depends on D19782. Ref T13217. Ref T13216. Ref T6960. We currently construct some queries by passing implode(...) directly to qsprintf().

I believe we can cover all these cases (or, at least, almost all these cases) with conversions for imploding on AND, OR, or comma. This will ultimately let us make %Q safer.

Test Plan

Played around with these in a toy qsprintf() script; upcoming changes will convert Phabricator callsites more aggressively.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
xsprintf/
39 lines

Diff 47286

View Options

src/xsprintf/qsprintf.php

Loading...
Phabricator · Built by Phacility