Mirrored_Repos/crafty-4
1
0
Fork 0
mirror of https://gitlab.com/crafty-controller/crafty-4.git synced 2024-08-30 18:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Escape logfile output, fixes weird formatting and remote code execution vulnerability

Browse Source
This commit is contained in:
luukas 2021-06-02 21:47:08 +03:00
parent 344c2219ec
commit a79f42f4da
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/classes/web/ajax_handler.py
View File

@ -5,6 +5,7 @@ import tornado.escape
import bleach import bleach
import os import os
import shutil import shutil
import html
from app.classes.shared.console import console from app.classes.shared.console import console
from app.classes.shared.models import Users, installer from app.classes.shared.models import Users, installer
@ -68,7 +69,7 @@ class AjaxHandler(BaseHandler):
for d in data: for d in data:
try: try:
line = helper.log_colors(d) line = helper.log_colors(html.escape(d))
self.write('{}<br />'.format(line)) self.write('{}<br />'.format(line))
# self.write(d.encode("utf-8")) # self.write(d.encode("utf-8"))