The exposed YAML is currently only valid with the custom dialect implementation in OpenRA. External tools currently need to re-implement the whole parser. Here are the 2 main (and only?) issues:
Tabs/spaces
The exposed YAML uses tabs instead of spaces; this is not valid:
Why does YAML forbid tabs?
Tabs have been outlawed since they are treated differently by different editors and tools. And since indentation is so critical to proper interpretation of YAML, this issue is just too tricky to even attempt. Indeed Guido van Rossum of Python has acknowledged that allowing TABs in Python source is a headache for many people and that were he to design Python again, he would forbid them.
Source: yaml.org
I believe the OpenRA parser does handle spaces as well so this should be easy to fix.
Unquoted strings
The ProfileName contains arbitrary data from the users. I'm not sure how much is allowed from phpbb, but I know that at least Unicode (to some extent?) is permitted. This means that there is a potential corruption vector here to alter the implied type.
One example of this is user ".1" (pointwon). Using a standard YAML parser will recognize the value as a float, meaning it will be recognized as 0.1. This could imply all kind of various issues. We could technically have integers as well, and maybe other types such as lists (comma and linebreaks are allowed?).
One possible fix for this would be to quote the string, but I'm not sure OpenRA code can handle this. Also, what would happen with a \ or a " in the name, is that possible?
Also, while there is probably a filter in phpbb, I see no such thing while displaying it (no escaping), this might be another problem.
The exposed YAML is currently only valid with the custom dialect implementation in OpenRA. External tools currently need to re-implement the whole parser. Here are the 2 main (and only?) issues:
Tabs/spaces
The exposed YAML uses tabs instead of spaces; this is not valid:
Source: yaml.org
I believe the OpenRA parser does handle spaces as well so this should be easy to fix.
Unquoted strings
The
ProfileNamecontains arbitrary data from the users. I'm not sure how much is allowed from phpbb, but I know that at least Unicode (to some extent?) is permitted. This means that there is a potential corruption vector here to alter the implied type.One example of this is user ".1" (pointwon). Using a standard YAML parser will recognize the value as a float, meaning it will be recognized as
0.1. This could imply all kind of various issues. We could technically have integers as well, and maybe other types such as lists (comma and linebreaks are allowed?).One possible fix for this would be to quote the string, but I'm not sure OpenRA code can handle this. Also, what would happen with a
\or a"in the name, is that possible?Also, while there is probably a filter in phpbb, I see no such thing while displaying it (no escaping), this might be another problem.