From c44bb029c015ab91808b06b8eb691240b7fc575d Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Sun, 31 Aug 2025 20:05:30 +0200
Subject: Fix log CRLF injection (#7883)

* Fix log CRLF injection

* empty -> space

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 app/Models/Log.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'app')

diff --git a/app/Models/Log.php b/app/Models/Log.php
index 7760e76ca..5d3ddbe16 100644
--- a/app/Models/Log.php
+++ b/app/Models/Log.php
@@ -4,6 +4,7 @@ declare(strict_types=1);
 class FreshRSS_Log extends Minz_Model {
 
 	private string $date;
+	/** @property 'error'|'warning'|'notice'|'debug'|'info' $level */
 	private string $level;
 	private string $information;
 
@@ -20,6 +21,10 @@ class FreshRSS_Log extends Minz_Model {
 		$this->date = $date;
 	}
 	public function _level(string $level): void {
+		if (!in_array($level, ['error', 'warning', 'notice', 'debug', 'info'], true)) {
+			$this->level = 'info';
+			return;
+		}
 		$this->level = $level;
 	}
 	public function _info(string $information): void {
-- 
cgit v1.2.3