git.pond.sub.org Git - empserver/commit

author	Markus Armbruster <armbru@pond.sub.org>
	Sat, 2 Jul 2011 07:09:27 +0000 (09:09 +0200)
committer	Markus Armbruster <armbru@pond.sub.org>
	Sat, 9 Jul 2011 13:14:00 +0000 (15:14 +0200)
commit	b464b0fcc2eb555da259c8eac8557c55748034ce
tree	73ff60e1a6eafd65a9087231952afae7e33b53fa	tree \| snapshot
parent	727e6194c866bb32f0ef991f77de4acad14a3ae9	commit \| diff

Fix input/output filtering to ASCII

copy_utf8_to_ascii_no_funny() eats the character following a replaced
non-ASCII character.  Buffer overrun possible when the terminating
zero gets eaten.  Broken in commit b5ff7e3b, v4.2.21.

Affected commands:

* players column "last command" in ASCII sessions: struct player
  member combuf is UTF-8, uprnf() filters to ASCII.

* read in ASCII sessions: telegram chunks are UTF-8, uprnf() filters
  to ASCII.

* flash and wall with message argument in ASCII sessions: argument is
  used raw, i.e. UTF-8, pr_flash() filters to ASCII.  Safe as long as
  we have input filtering sanitizing the raw argument.  command() does
  that, but execute() doesn't (bug, to be fixed in a later commit).

* execute prompting for its argument in UTF-8 sessions: prmptrd()
  receives user text, and filters to ASCII.

Unaffected:

* dispatch() argument redir is UTF-8, uprnf() can filter to ASCII.
  Safe as long as we have input filtering sanitizing the raw argument.
  command() does that.  execute() doesn't, but rejects redirections
  before calling dispatch().

* getele() buffer is UTF-8, uprnf() can filter to ASCII.  Safe,
  because its contents comes from uprmptrd(), which filters input.