Filter out escape sequences and any other unusual characters when writing all messages to the console.

This should protect against all attacks where the server sends back a malicious message.
author: Joey Hess <joeyh@joeyh.name> 2016-09-27 20:22:53 -0400
committer: Joey Hess <joeyh@joeyh.name> 2016-09-27 20:24:31 -0400
commit: 758965d177d75f529bb88e24564a0bdb5e406fc6 (patch)
tree: 8632125811610fb7444784d10caf6441dcf792e7 /Output.hs
parent: 40ef6d76d4d50c48f103c2b94cd45c7647a25dbc (diff)
download: keysafe-758965d177d75f529bb88e24564a0bdb5e406fc6.tar.gz
1 files changed, 33 insertions, 0 deletions
diff --git a/Output.hs b/Output.hs
new file mode 100644
index 0000000..f655d0a
--- /dev/null
+++ b/Output.hs
@@ -0,0 +1,33 @@
+-- All console output in keysafe should go via this module;
+-- avoid using putStrLn, print, etc directly.
+
+module Output (ask, progress, say, warn, display) where
+
+import System.IO
+import Data.Char
+
+ask :: String -> IO ()
+ask s = do
+	putStr (escape s)
+	hFlush stdout
+
+progress :: String -> IO ()
+progress = ask
+
+say :: String -> IO ()
+say = putStrLn . escape
+
+warn :: String -> IO ()
+warn = hPutStrLn stderr . escape
+
+display :: Show s => s -> IO ()
+display = say . show
+
+-- | Prevent malicious escape sequences etc in a string
+-- from being output to the console.
+escape :: String -> String
+escape = concatMap go
+   where
+	go c = if isPrint c || isSpace c
+		then [c]
+		else "\\" ++ show (ord c)
author	Joey Hess <joeyh@joeyh.name>	2016-09-27 20:22:53 -0400
committer	Joey Hess <joeyh@joeyh.name>	2016-09-27 20:24:31 -0400
commit	758965d177d75f529bb88e24564a0bdb5e406fc6 (patch)
tree	8632125811610fb7444784d10caf6441dcf792e7 /Output.hs
parent	40ef6d76d4d50c48f103c2b94cd45c7647a25dbc (diff)
download	keysafe-758965d177d75f529bb88e24564a0bdb5e406fc6.tar.gz