vndb/fu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move control character checking to FU::Validate, deprecate FU::Util::utf8_decode()

Browse source 
URI, JSON and formdata decoding no longer checks for control characters,
but FU::Validate now rejects control characters by default. This
decouples semantic validation from format parsing and gives better
control over when control characters are allowed.
This commit is contained in:
Yorhel 2025-08-22 09:51:56 +02:00
parent 2e9a40da69
commit a8ac435f85
8 changed files with 39 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

11
c/jsonparse.c
View file

@ -2,7 +2,6 @@ typedef struct {
const unsigned char *buf;
const unsigned char *end;
UV depth;
int allow_control;
} fujson_parse_ctx;
static SV *fujson_parse(pTHX_ fujson_parse_ctx *);
@ -24,10 +23,10 @@ static inline int fujson_parse_string_escape(pTHX_ fujson_parse_ctx *ctx, fustr
case '"': *(r->cur++) = '\"'; break;
case '\\':*(r->cur++) = '\\'; break;
case '/': *(r->cur++) = '/'; break; /* We don't escape this one */
case 'b': if (!ctx->allow_control) return 1; *(r->cur++) = 0x08; break;
case 'b': *(r->cur++) = 0x08; break;
case 't': *(r->cur++) = 0x09; break;
case 'n': *(r->cur++) = 0x0a; break;
case 'f': if (!ctx->allow_control) return 1; *(r->cur++) = 0x0c; break;
case 'f': *(r->cur++) = 0x0c; break;
case 'r': *(r->cur++) = 0x0d; break;
case 'u':
/* (awful code adapted from ncdu) */
@ -44,9 +43,6 @@ static inline int fujson_parse_string_escape(pTHX_ fujson_parse_ctx *ctx, fustr
n = 0x10000 + (((n & 0x03ff) << 10) | (s & 0x03ff));
ctx->buf += 6;
}
if (!ctx->allow_control &&
(n <= 8 || n == 0x0b || n == 0x0c || (n >= 0x0e && n <= 0x1f) || n == 0x7f))
return 1;
r->cur = (char *)uvchr_to_utf8((U8 *)r->cur, n);
if (n >= 0x80) r->setutf8 = 1;
break;
@ -269,7 +265,6 @@ static SV *fujson_parse_xs(pTHX_ I32 ax, I32 argc, SV *val) {
fujson_parse_ctx ctx;
ctx.depth = 0;
ctx.allow_control = 0;
while (i < argc) {
arg = SvPV_nolen(ST(i));
i++;
@ -280,7 +275,7 @@ static SV *fujson_parse_xs(pTHX_ I32 ax, I32 argc, SV *val) {
if (strcmp(arg, "utf8") == 0) decutf8 = SvTRUEx(r);
else if (strcmp(arg, "max_size") == 0) maxlen = SvUV(r);
else if (strcmp(arg, "max_depth") == 0) ctx.depth = SvUV(r);
else if (strcmp(arg, "allow_control") == 0) ctx.allow_control = SvTRUE(r);
else if (strcmp(arg, "allow_control") == 0) {}
else if (strcmp(arg, "offset") == 0) offset = r;
else croak("Unknown flag: '%s'", arg);
}