Escape logfile output, fixes weird formatting and remote code execution vulnerability

This commit is contained in:
luukas 2021-06-02 21:47:08 +03:00
parent 344c2219ec
commit a79f42f4da

View File

@ -5,6 +5,7 @@ import tornado.escape
import bleach
import os
import shutil
import html
from app.classes.shared.console import console
from app.classes.shared.models import Users, installer
@ -68,7 +69,7 @@ class AjaxHandler(BaseHandler):
for d in data:
try:
line = helper.log_colors(d)
line = helper.log_colors(html.escape(d))
self.write('{}<br />'.format(line))
# self.write(d.encode("utf-8"))