RejectedSoftware Forums

Sign up

Orphan format specifier error

avatar
Erdem
Posted Mon, 25 Sep 2017 12:57:02 GMT
Reply

I may port a small blog application to vibe.d. I have a form which users input title and post body.

I was testing the form. When I enter this expression to body field:

Şaşı '''' baktığımız'' için ?$%&

program throws an exception. 

core.exception.AssertError@../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d(128): Orphan format specifier: %&
----------------
??:? _d_assert_msg [0xb5af22]
../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d:128 nothrow @safe void vibe.core.log.log!(4, "source/app.d", 52, immutable(char)[]).log(immutable(char)[]) [0x8d0c0a]
../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d:139 nothrow @safe void vibe.core.log.logInfo!("source/app.d", 52, immutable(char)[]).logInfo(immutable(char)[]) [0x8d0a67]
source/app.d:42 void app.Gönderi.kaydet() [0x8bfbcc]
source/app.d:83 void app.gönderiyiKaydet(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse) [0x8bff73]
/usr/include/dmd/phobos/std/functional.d-mixin-1223:1234 void std.functional.DelegateFaker!(void function(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse)*).DelegateFaker.doIt(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse) [0x8e2bf3]

Should we also keep track of some special characters.

Also I wonder whether vibe-d offers any protection against cross-site request forgery (CSRF) attacks.

Erdem

Re: Orphan format specifier error

avatar
Sönke Ludwig
Posted Mon, 25 Sep 2017 18:49:57 GMT in reply to Erdem
Reply

On Mon, 25 Sep 2017 12:57:02 GMT, Erdem wrote:

I may port a small blog application to vibe.d. I have a form which users input title and post body.

I was testing the form. When I enter this expression to body field:

Şaşı '''' baktığımız'' için ?$%&

program throws an exception. 

core.exception.AssertError@../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d(128): Orphan format specifier: %&
----------------
??:? _d_assert_msg [0xb5af22]
../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d:128 nothrow @safe void vibe.core.log.log!(4, "source/app.d", 52, immutable(char)[]).log(immutable(char)[]) [0x8d0c0a]
../../.dub/packages/vibe-d-0.8.1/vibe-d/core/vibe/core/log.d:139 nothrow @safe void vibe.core.log.logInfo!("source/app.d", 52, immutable(char)[]).logInfo(immutable(char)[]) [0x8d0a67]
source/app.d:42 void app.Gönderi.kaydet() [0x8bfbcc]
source/app.d:83 void app.gönderiyiKaydet(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse) [0x8bff73]
/usr/include/dmd/phobos/std/functional.d-mixin-1223:1234 void std.functional.DelegateFaker!(void function(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse)*).DelegateFaker.doIt(vibe.http.server.HTTPServerRequest, vibe.http.server.HTTPServerResponse) [0x8e2bf3]

Should we also keep track of some special characters.

It looks like the form field is passed verbatim as logInfo(value);. However, logInfo takes a format string as the first argument (same format as for std.format.format or writefln), so for printing user input it should always be logInfo("%s", value); instead. In contrast to C's printf this is not a critical security hole, but it is a DoS target.

Also I wonder whether vibe-d offers any protection against cross-site request forgery (CSRF) attacks.

There is some integrated support for origin checks in the REST interface generator (allowedOrigins), but for the web interface generator it has to be done manually by setting the appropriate headers. The same goes for other measures, such as CSRF tokens. Those can be implemented quite simply using the session functionality (for example using a SessionVar!string token; class member if using vibe.web.web).