Home Explore Help
Sign In
LBP
/
FressRSS
mirror of https://github.com/FreshRSS/FreshRSS.git
4
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix log CRLF injection (#7883)

* Fix log CRLF injection

* empty -> space

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Inverle 7 months ago
parent
87879e8392
commit
c44bb029c0
2 changed files with 6 additions and 1 deletions
Split View Show Diff Stats
  1. 5 0
      app/Models/Log.php
  2. 1 1
      lib/Minz/Log.php

+ 5 - 0
app/Models/Log.php
View File 

@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 class FreshRSS_Log extends Minz_Model {
 
 
 	private string $date;
 
+	/** @property 'error'|'warning'|'notice'|'debug'|'info' $level */
 
 	private string $level;
 
 	private string $information;
 
 
@@ -20,6 +21,10 @@ class FreshRSS_Log extends Minz_Model {
 
 		$this->date = $date;
 
 	}
 
 	public function _level(string $level): void {
 
+		if (!in_array($level, ['error', 'warning', 'notice', 'debug', 'info'], true)) {
 
+			$this->level = 'info';
 
+			return;
 
+		}
 
 		$this->level = $level;
 
 	}
 
 	public function _info(string $information): void {

+ 1 - 1
lib/Minz/Log.php
View File 

@@ -56,7 +56,7 @@ class Minz_Log {
 
 					$level_label = 'info';
 
 			}
 
 
-			$log = '[' . date('r') . '] [' . $level_label . '] --- ' . $information . "\n";
 
+			$log = '[' . date('r') . '] [' . $level_label . '] --- ' . str_replace(["\r", "\n"], ' ', $information) . "\n";
 
 
 			if (defined('COPY_LOG_TO_SYSLOG') && COPY_LOG_TO_SYSLOG) {
 
 				syslog($level, '[' . $username . '] ' . trim($log));