From a862307bce5cdfb1c208b835f3e8faddd23046e6 Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Fri, 3 May 2024 07:54:13 +0200 Subject: [PATCH] Merge pull request from GHSA-x525-54hf-xr53 * do not log unvalidated user-input to mysql-log (if enabled) Signed-off-by: Michael Kaufmann * clean log-text to only allow a subset of special characters Signed-off-by: Michael Kaufmann * clean log-text when selecting from database to avoid possible previously added malicious entries Signed-off-by: Michael Kaufmann --------- Signed-off-by: Michael Kaufmann --- index.php | 6 +++--- lib/Froxlor/Api/Commands/SysLog.php | 2 ++ lib/Froxlor/FroxlorLogger.php | 3 +++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/index.php b/index.php index 5cccab8f86..d7754ffa66 100644 --- a/index.php +++ b/index.php @@ -248,7 +248,7 @@ $rstlog = FroxlorLogger::getInstanceOf([ 'loginname' => $_SERVER['REMOTE_ADDR'] ]); - $rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "Unknown user '" . $loginname . "' tried to login."); + $rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "Unknown user tried to login."); Response::redirectTo('index.php', [ 'showmessage' => '2' @@ -305,7 +305,7 @@ $rstlog = FroxlorLogger::getInstanceOf([ 'loginname' => $_SERVER['REMOTE_ADDR'] ]); - $rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "User '" . $loginname . "' tried to login with wrong password."); + $rstlog->logAction(FroxlorLogger::LOGIN_ACTION, LOG_WARNING, "User tried to login with wrong password."); unset($userinfo); Response::redirectTo('index.php', [ @@ -624,7 +624,7 @@ $rstlog = FroxlorLogger::getInstanceOf([ 'loginname' => 'password_reset' ]); - $rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "User '" . $loginname . "' requested to set a new password, but was not found in database!"); + $rstlog->logAction(FroxlorLogger::USR_ACTION, LOG_WARNING, "Unknown user requested to set a new password, but was not found in database!"); $message = lng('login.usernotfound'); } diff --git a/lib/Froxlor/Api/Commands/SysLog.php b/lib/Froxlor/Api/Commands/SysLog.php index 9236d57772..2df7d1a133 100644 --- a/lib/Froxlor/Api/Commands/SysLog.php +++ b/lib/Froxlor/Api/Commands/SysLog.php @@ -90,6 +90,8 @@ public function listing() } Database::pexecute($result_stmt, $query_fields, true, true); while ($row = $result_stmt->fetch(PDO::FETCH_ASSOC)) { + // clean log-text + $row['text'] = preg_replace("/[^\w @#\"':.()\[\]+\-_\/\\\!]/i", "_", $row['text']); $result[] = $row; } $this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_INFO, "[API] list log-entries"); diff --git a/lib/Froxlor/FroxlorLogger.php b/lib/Froxlor/FroxlorLogger.php index 2ca02aeb08..6eeadf7fdc 100644 --- a/lib/Froxlor/FroxlorLogger.php +++ b/lib/Froxlor/FroxlorLogger.php @@ -175,6 +175,9 @@ public function logAction($action = FroxlorLogger::USR_ACTION, int $type = LOG_N $this->initMonolog(); } + // clean log-text + $text = preg_replace("/[^\w @#\"':.()\[\]+\-_\/\\\!]/i", "_", $text); + if (self::$crondebug_flag || ($action == FroxlorLogger::CRON_ACTION && $type <= LOG_WARNING)) { echo "[" . $this->getLogLevelDesc($type) . "] " . $text . PHP_EOL; }