diff options
| author |  Inverle <inverle@proton.me>
| 2025-08-31 20:05:30 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-08-31 20:05:30 +0200 |
| commit | c44bb029c015ab91808b06b8eb691240b7fc575d (patch) | |
| tree | 10521ba8935917a134730d77bd150ccf00c627df | |
| parent | 87879e83927d66332d2d0794bc47eeb55f8c9b46 (diff) | |
Fix log CRLF injection (#7883)
* Fix log CRLF injection
* empty -> space
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
| -rw-r--r-- | app/Models/Log.php | 5 | ||||
| -rw-r--r-- | lib/Minz/Log.php | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/app/Models/Log.php b/app/Models/Log.php index 7760e76ca..5d3ddbe16 100644 --- a/app/Models/Log.php +++ b/app/Models/Log.php @@ -4,6 +4,7 @@ declare(strict_types=1); class FreshRSS_Log extends Minz_Model { private string $date; + /** @property 'error'|'warning'|'notice'|'debug'|'info' $level */ private string $level; private string $information; @@ -20,6 +21,10 @@ class FreshRSS_Log extends Minz_Model { $this->date = $date; } public function _level(string $level): void { + if (!in_array($level, ['error', 'warning', 'notice', 'debug', 'info'], true)) { + $this->level = 'info'; + return; + } $this->level = $level; } public function _info(string $information): void { diff --git a/lib/Minz/Log.php b/lib/Minz/Log.php index 8bf193ffe..df3c97904 100644 --- a/lib/Minz/Log.php +++ b/lib/Minz/Log.php @@ -56,7 +56,7 @@ class Minz_Log { $level_label = 'info'; } - $log = '[' . date('r') . '] [' . $level_label . '] --- ' . $information . "\n"; + $log = '[' . date('r') . '] [' . $level_label . '] --- ' . str_replace(["\r", "\n"], ' ', $information) . "\n"; if (defined('COPY_LOG_TO_SYSLOG') && COPY_LOG_TO_SYSLOG) { syslog($level, '[' . $username . '] ' . trim($log)); |