From 0006432890dd0135152d6334155ef4c1b860b717 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Mon, 29 May 2017 17:15:28 +1000 Subject: src/ldebug.js: Don't pass user input as format string to luaG_runerror. Fixes #65 --- src/ldebug.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/ldebug.js b/src/ldebug.js index 510221f..4019413 100644 --- a/src/ldebug.js +++ b/src/ldebug.js @@ -544,7 +544,7 @@ const varinfo = function(L, o) { const luaG_typeerror = function(L, o, op) { let t = ltm.luaT_objtypename(L, o); - luaG_runerror(L, defs.to_luastring(`attempt to ${defs.to_jsstring(op)} a ${defs.to_jsstring(t)} value${defs.to_jsstring(varinfo(L, o))}`)); + luaG_runerror(L, defs.to_luastring("attempt to %s a %s value%s", true), op, t, varinfo(L, o)); }; const luaG_concaterror = function(L, p1, p2) { @@ -565,9 +565,9 @@ const luaG_ordererror = function(L, p1, p2) { let t1 = ltm.luaT_objtypename(L, p1); let t2 = ltm.luaT_objtypename(L, p2); if (t1.join() === t2.join()) - luaG_runerror(L, defs.to_luastring(`attempt to compare two ${defs.to_jsstring(t1)} values`)); + luaG_runerror(L, defs.to_luastring("attempt to compare two %s values", true), t1); else - luaG_runerror(L, defs.to_luastring(`attempt to compare ${defs.to_jsstring(t1)} with ${defs.to_jsstring(t2)}`)); + luaG_runerror(L, defs.to_luastring("attempt to compare %s with %s", true), t1, t2); }; /* add src:line information to 'msg' */ @@ -607,7 +607,7 @@ const luaG_tointerror = function(L, p1, p2) { let temp = lvm.tointeger(p1); if (temp === false) p2 = p1; - luaG_runerror(L, defs.to_luastring(`number${defs.to_jsstring(varinfo(L, p2))} has no integer representation`)); + luaG_runerror(L, defs.to_luastring("number%s has no integer representation", true), varinfo(L, p2)); }; const luaG_traceexec = function(L) { -- cgit v1.2.3-54-g00ecf From a0acc63c7d0171f1b45bebf9d74744515f9217c7 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Mon, 29 May 2017 17:18:58 +1000 Subject: Don't pass user input as format to luaL_error --- src/loslib.js | 6 +++--- src/lstrlib.js | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/loslib.js b/src/loslib.js index 976ab92..baaee74 100644 --- a/src/loslib.js +++ b/src/loslib.js @@ -44,14 +44,14 @@ const getfield = function(L, key, d, delta) { let res = lua.lua_tointegerx(L, -1); if (res === false) { /* field is not an integer? */ if (t !== lua.LUA_TNIL) /* some other value? */ - return lauxlib.luaL_error(L, lua.to_luastring(`field '${key}' is not an integer`), true); + return lauxlib.luaL_error(L, lua.to_luastring("field '%s' is not an integer"), key); else if (d < 0) /* absent field; no default? */ - return lauxlib.luaL_error(L, lua.to_luastring(`field '${key}' missing in date table`), true); + return lauxlib.luaL_error(L, lua.to_luastring("field '%s' missing in date table"), key); res = d; } else { if (!(-L_MAXDATEFIELD <= res && res <= L_MAXDATEFIELD)) - return lauxlib.luaL_error(L, lua.to_luastring(`field '${key}' is out-of-bound`), true); + return lauxlib.luaL_error(L, lua.to_luastring("field '%s' is out-of-bound"), key); res -= delta; } lua.lua_pop(L, 1); diff --git a/src/lstrlib.js b/src/lstrlib.js index 41c48ef..56817a0 100644 --- a/src/lstrlib.js +++ b/src/lstrlib.js @@ -1107,7 +1107,7 @@ const push_onecapture = function(ms, i, s, e) { if (i === 0) lua.lua_pushlstring(ms.L, ms.src.slice(s), e - s); /* add whole match */ else - lauxlib.luaL_error(ms.L, lua.to_luastring(`invalid capture index %${i + 1}`)); + lauxlib.luaL_error(ms.L, lua.to_luastring("invalid capture index %%%d"), i + 1); } else { let l = ms.capture[i].len; if (l === CAP_UNFINISHED) lauxlib.luaL_error(ms.L, lua.to_luastring("unfinished capture", true)); -- cgit v1.2.3-54-g00ecf