diff options
author | Joey Hess <joeyh@joeyh.name> | 2016-09-27 20:22:53 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2016-09-27 20:24:31 -0400 |
commit | 758965d177d75f529bb88e24564a0bdb5e406fc6 (patch) | |
tree | 8632125811610fb7444784d10caf6441dcf792e7 /Output.hs | |
parent | 40ef6d76d4d50c48f103c2b94cd45c7647a25dbc (diff) | |
download | keysafe-758965d177d75f529bb88e24564a0bdb5e406fc6.tar.gz |
Filter out escape sequences and any other unusual characters when writing all messages to the console.
This should protect against all attacks where the server sends back a
malicious message.
Diffstat (limited to 'Output.hs')
-rw-r--r-- | Output.hs | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/Output.hs b/Output.hs new file mode 100644 index 0000000..f655d0a --- /dev/null +++ b/Output.hs @@ -0,0 +1,33 @@ +-- All console output in keysafe should go via this module; +-- avoid using putStrLn, print, etc directly. + +module Output (ask, progress, say, warn, display) where + +import System.IO +import Data.Char + +ask :: String -> IO () +ask s = do + putStr (escape s) + hFlush stdout + +progress :: String -> IO () +progress = ask + +say :: String -> IO () +say = putStrLn . escape + +warn :: String -> IO () +warn = hPutStrLn stderr . escape + +display :: Show s => s -> IO () +display = say . show + +-- | Prevent malicious escape sequences etc in a string +-- from being output to the console. +escape :: String -> String +escape = concatMap go + where + go c = if isPrint c || isSpace c + then [c] + else "\\" ++ show (ord c) |