HomePhabricator
Diffusion libphutil be5a87463ac5

Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to…
be5a87463ac5
Actions

Description

Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to improve safety

Summary:
Depends on D19782. Ref T13217. Ref T13216. Ref T6960. We currently construct some queries by passing implode(...) directly to qsprintf().

I believe we can cover all these cases (or, at least, almost all these cases) with conversions for imploding on AND, OR, or comma. This will ultimately let us make %Q safer.

Test Plan: Played around with these in a toy qsprintf() script; upcoming changes will convert Phabricator callsites more aggressively.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13217, T13216, T6960

Differential Revision: https://secure.phabricator.com/D19783

Details

Provenance
epriestleyAuthored on Nov 7 2018, 12:39 AM
epriestleyPushed on Nov 13 2018, 4:49 PM
Reviewer
amckinley
Differential Revision
D19783: Support %LA (AND), %LO (OR) and %LQ (comma) conversions for qsprintf() to improve safety
Parents
rPHUf842247de41a: Support %P (Password or Secret) in qsprintf()
Branches
Unknown
Tags
Unknown
Tasks
T6960: Support %P in qsprintf()
T13217: Upgrading: Hardening of qsprintf()
T13216: 2018 Week 45-47 Bonus Content
Build Status
Buildable 21135
Build 28731: Run Core Tests

Changes (1)

PathSize
src/
xsprintf/

rPHUbe5a87463ac5

View Options

src/xsprintf/qsprintf.php

Loading...
Phabricator · Built by Phacility