On Thu, Jun 27, 2019 at 04:21:24PM -0400, J. Bruce Fields wrote: > No, I was confused: "\n" is non-printable according to isprint(), so > ESCAPE_ANY_NP *will* escape it. So this isn't quite so bad. SSIDs are > usually printed as '%*pE', so arguably we should be escaping the single > quote character too, but at least we're not allowing line breaks > through. I don't know about non-ascii. Okay, cool. Given that most things are just trying to log, it seems like it should be safe to have %pE escape non-ascii, non-printable, \, ', and "? And if we changing that, we're likely changing string_escape_mem(). Looking at callers of string_escape_mem() makes my head spin... Anyway, I don't want to block you needlessly. What would like to have be next steps here? -- Kees Cook
