On Mon, 25 Sep 2017 12:57:02 GMT, Erdem wrote:

I may port a small blog application to vibe.d. I have a form which users input title and post body.

I was testing the form. When I enter this expression to body field:

Şaşı '''' baktığımız'' için ?$%&

program throws an exception.

core.exception.AssertError@../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d(128): Orphan format specifier: %&
??:? _d_assert_msg [0xb5af22]
../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d:128 nothrow @safe void vibe.core.log.log!(4, "source/app.d", 52, immutable(char)[]).log(immutable(char)[]) [0x8d0c0a]
../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d:139 nothrow @safe void vibe.core.log.logInfo!("source/app.d", 52, immutable(char)[]).logInfo(immutable(char)[]) [0x8d0a67]
source/app.d:42 void app.Gönderi.kaydet() [0x8bfbcc]
source/app.d:83 void app.gönderiyiKaydet(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse) [0x8bff73]
/usr/include/dmd/phobos/std/functional.d-mixin-1223:1234 void std.functional.DelegateFaker!(void function(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse)*).DelegateFaker.doIt(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse) [0x8e2bf3]

Should we also keep track of some special characters.

It looks like the form field is passed verbatim as logInfo(value);. However, logInfo takes a format string as the first argument (same format as for std.format.format or writefln), so for printing user input it should always be logInfo("%s", value); instead. In contrast to C's printf this is not a critical security hole, but it is a DoS target.

Also I wonder whether vibe-d offers any protection against cross-site request forgery (CSRF) attacks.

There is some integrated support for origin checks in the REST interface generator (allowedOrigins), but for the web interface generator it has to be done manually by setting the appropriate headers. The same goes for other measures, such as CSRF tokens. Those can be implemented quite simply using the session functionality (for example using a SessionVar!string token; class member if using vibe.web.web).