From c44bb029c015ab91808b06b8eb691240b7fc575d Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Sun, 31 Aug 2025 20:05:30 +0200
Subject: Fix log CRLF injection (#7883)

* Fix log CRLF injection

* empty -> space

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 app/Models/Log.php | 5 +++++
 lib/Minz/Log.php   | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/Models/Log.php b/app/Models/Log.php
index 7760e76ca..5d3ddbe16 100644
--- a/app/Models/Log.php
+++ b/app/Models/Log.php
@@ -4,6 +4,7 @@ declare(strict_types=1);
 class FreshRSS_Log extends Minz_Model {
 
 	private string $date;
+	/** @property 'error'|'warning'|'notice'|'debug'|'info' $level */
 	private string $level;
 	private string $information;
 
@@ -20,6 +21,10 @@ class FreshRSS_Log extends Minz_Model {
 		$this->date = $date;
 	}
 	public function _level(string $level): void {
+		if (!in_array($level, ['error', 'warning', 'notice', 'debug', 'info'], true)) {
+			$this->level = 'info';
+			return;
+		}
 		$this->level = $level;
 	}
 	public function _info(string $information): void {
diff --git a/lib/Minz/Log.php b/lib/Minz/Log.php
index 8bf193ffe..df3c97904 100644
--- a/lib/Minz/Log.php
+++ b/lib/Minz/Log.php
@@ -56,7 +56,7 @@ class Minz_Log {
 					$level_label = 'info';
 			}
 
-			$log = '[' . date('r') . '] [' . $level_label . '] --- ' . $information . "\n";
+			$log = '[' . date('r') . '] [' . $level_label . '] --- ' . str_replace(["\r", "\n"], ' ', $information) . "\n";
 
 			if (defined('COPY_LOG_TO_SYSLOG') && COPY_LOG_TO_SYSLOG) {
 				syslog($level, '[' . $username . '] ' . trim($log));
-- 
cgit v1.2.3