公共Lisp中格式指令的安全解析 [英] Safe Parsing of Format Directives in Common Lisp
问题描述
我想从输入文件(可能已由用户修改或未由用户修改)中读取字符串。我想将此字符串视为要使用固定数量的参数调用的格式指令。但是,我了解某些格式指令(尤其是想到〜/
)可能会被用于注入函数调用,从而使这种方法本质上不安全。
I would like to read in a string from an input file (which may or may not have been modified by the user). I would like to treat this string as a format directive to be called with a fixed number of arguments. However, I understand that some format directives (particularly, the ~/
comes to mind) could potentially be used to inject function calls, making this approach inherently unsafe.
使用 read
解析Common Lisp中的数据时,该语言会提供 * read-eval *
动态变量,可以将其设置为 nil
以禁用#。
代码注入。我正在寻找类似的东西,以防止格式指令内的代码注入和任意函数调用。
When using read
to parse data in Common Lisp, the language provides the *read-eval*
dynamic variable which can be set to nil
to disable #.
code injection. I'm looking for something similar that would prevent code injection and arbitrary function calls inside format directives.
推荐答案
如果用户无法介绍自定义代码,但仅格式化字符串,则可以避免 print-object
的问题。请记住使用 with-standard-io-syntax
(或其定制版本)以控制要生成的确切输出类型(请考虑 * print-base *
,...)。
If the user cannot introduce custom code but only format strings, then you can avoid the problems of print-object
. Remember to use with-standard-io-syntax
(or a customized version of it) to control to exact kind of output you will generate (think about *print-base*
, ...).
您可以扫描输入字符串以检测〜/
的存在(但 ~~ /
有效),并拒绝解释包含黑名单结构的格式。
但是,某些分析更加困难,您可能需要在运行时采取行动。
You can scan the input strings to detect the presence of ~/
(but ~~/
is valid) and refuse to interpret format that contains blacklisted constructs.
However, some analysis are more difficult and you might need to act at runtime.
例如,如果格式字符串格式错误,则可能会导致错误,必须进行处理(此外,您可能会给期望的参数赋予错误的值)。
For example, if the format string is malformed, you will probably encouter an error, which must be handled (also, you may give bad values to the expected arguments).
即使用户不是恶意的,您也可能在迭代构造方面遇到问题:
Even if the user is not malicious, you can also have problems with iteration constructs:
~{<X>~:*~}
...从不停止是因为〜:*
会回退当前参数。为了处理此问题,您必须考虑< X>
可以打印或不打印某些内容。您可以实施这两种策略:
... never stops because ~:*
rewinds current argument. In order to handle this, you must consider that <X>
may, or not, print something. You could implement both of those strategies:
- 有超时时间来限制格式化时间
- 在写入过多内容(例如写入字符串缓冲区)时,使基础流到达文件末尾。
我目前看不到的问题,请小心。
There might be other problems I currently don't see, be careful.
这篇关于公共Lisp中格式指令的安全解析的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!