AuroraSupport/AuroraRuntime
2
1
Fork 0
Code Issues 27 Pull Requests Releases Wiki Activity

[*] Security: use AuCodepointsReplaceAll instead of AuReplaceAll under the loggers mitigations

Browse Source
This commit is contained in:
Reece Wilson 2024-05-21 04:58:20 +01:00
parent ba36ea4ef1
commit 30b89f1bd7
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Source/Logging/AuLogger.cpp
View File

@ -300,14 +300,17 @@ namespace Aurora::Logging
{ {
if (this->bEnableMitigations) if (this->bEnableMitigations)
{ {
// Nuke \r and \x1b / \33 / \e sequences using UTF-8 aware replaceall
// \r -> dont let a bad actor override cat and unformatted console logs
// \e -> dont let a bad actor communicate with a potentially vulnerable TTY emulator
if (msg.line.find('\r') != AuString::npos) [[unlikely]] if (msg.line.find('\r') != AuString::npos) [[unlikely]]
{ {
AuReplaceAll(msg.line, "\r", "\\r"); AuCodepointsReplaceAll(msg.line, "\r", "\\r");
} }
if (msg.line.find('\33') != AuString::npos) [[unlikely]] if (msg.line.find('\33') != AuString::npos) [[unlikely]]
{ {
AuReplaceAll(msg.line, "\33", "\\e"); AuCodepointsReplaceAll(msg.line, "\33", "\\e");
} }
} }