1 /* 2 * libwebsockets - small server side websockets and web server implementation 3 * 4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com> 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to 8 * deal in the Software without restriction, including without limitation the 9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10 * sell copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 */ 24 25 /*! \defgroup pur Sanitize / purify SQL and JSON helpers 26 * 27 * ##Sanitize / purify SQL and JSON helpers 28 * 29 * APIs for escaping untrusted JSON and SQL safely before use 30 */ 31 //@{ 32 33 /** 34 * lws_sql_purify() - like strncpy but with escaping for sql quotes 35 * 36 * \param escaped: output buffer 37 * \param string: input buffer ('/0' terminated) 38 * \param len: output buffer max length 39 * 40 * Because escaping expands the output string, it's not 41 * possible to do it in-place, ie, with escaped == string 42 */ 43 LWS_VISIBLE LWS_EXTERN const char * 44 lws_sql_purify(char *escaped, const char *string, size_t len); 45 46 /** 47 * lws_sql_purify_len() - return length of purified version of input string 48 * 49 * \param string: input buffer ('/0' terminated) 50 * 51 * Calculates any character escaping without writing it anywhere and returns the 52 * calculated length of the purified string. 53 */ 54 int 55 lws_sql_purify_len(const char *p); 56 57 /** 58 * lws_json_purify() - like strncpy but with escaping for json chars 59 * 60 * \param escaped: output buffer 61 * \param string: input buffer ('/0' terminated) 62 * \param len: output buffer max length 63 * \param in_used: number of bytes of string we could escape in len 64 * 65 * Because escaping expands the output string, it's not 66 * possible to do it in-place, ie, with escaped == string 67 */ 68 LWS_VISIBLE LWS_EXTERN const char * 69 lws_json_purify(char *escaped, const char *string, int len, int *in_used); 70 71 /** 72 * lws_json_purify_len() - find out the escaped length of a string 73 * 74 * \param string: input buffer ('/0' terminated) 75 * 76 * JSON may have to expand escapes by up to 6x the original depending on what 77 * it is. This doesn't actually do the escaping but goes through the motions 78 * and computes the length of the escaped string. 79 */ 80 LWS_VISIBLE LWS_EXTERN int 81 lws_json_purify_len(const char *string); 82 83 /** 84 * lws_filename_purify_inplace() - replace scary filename chars with underscore 85 * 86 * \param filename: filename to be purified 87 * 88 * Replace scary characters in the filename (it should not be a path) 89 * with underscore, so it's safe to use. 90 */ 91 LWS_VISIBLE LWS_EXTERN void 92 lws_filename_purify_inplace(char *filename); 93 94 LWS_VISIBLE LWS_EXTERN int 95 lws_plat_write_cert(struct lws_vhost *vhost, int is_key, int fd, void *buf, 96 size_t len); 97 LWS_VISIBLE LWS_EXTERN int 98 lws_plat_write_file(const char *filename, void *buf, size_t len); 99 100 LWS_VISIBLE LWS_EXTERN int 101 lws_plat_read_file(const char *filename, void *buf, size_t len); 102 103 LWS_VISIBLE LWS_EXTERN int 104 lws_plat_recommended_rsa_bits(void); 105 ///@} 106